adware.look2me - HELP!!!!!

[mrichardson2]

Okay, I think I've tried to follow the suggestions I read. I booted to Safe Mode, ran Ad-Aware SE (updated today), SpyBot (also updated) and Ewido (updated) No matter what I do I cannot get rid of the "Adware.Look2Me"

I'm getting blasted with pop-ups and my computer is practically useless. Please help!

I usually use a Selective Startup but did a Normal Startup for this log.

Here's my log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:11 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\windows\mousepad7.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [w0912662.dll] RUNDLL32.EXE w0912662.dll,I2 00014d1300912662
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125239444359
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\g4402ehmgh4a2.dll
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

[tetonbob]

You have multiple infections on this system. Let's see if we can reduce the popups first.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When it re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.

1. Download and run - bfu.zip
2. Checkmark the following boxes:
   • Use settings specified in script for the above option
   • Show log after script ends
3. Click the Web button located on the top right corner
4. Copy/Paste this url into the address bar of the Download script window:

   http://metallica.geekstogo.com/alcanshorty.bfu

5. Execute the script by clicking the Execute button.
6. When it finishes running, click the Save button for a copy of the log
7. Post the log created by the script when you have completed the fix

Run a new HijackThis scan. Save the log file and post it here.

[mrichardson2]

Okay, feeling better already. Pop-ups seem better so far . . .

Here are the logs as requested:




Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/3/2006 10:57:04 PM

Infected! C:\WINDOWS\system32\p8n80i5ue8.dll
Infected! C:\WINDOWS\system32\dpskperf.dll
Infected! C:\WINDOWS\system32\f2l02c3mgf.dll
Infected! C:\WINDOWS\system32\gp04l3dq1.dll
Infected! C:\WINDOWS\system32\j6p0lg7m16.dll
Infected! C:\WINDOWS\system32\p8n80i5ue8.dll
Infected! C:\WINDOWS\system32\slgina.dll
Infected! C:\WINDOWS\system32\umrvpa.dll
Infected! C:\WINDOWS\system32\wb2_32.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\p8n80i5ue8.dll
C:\WINDOWS\system32\p8n80i5ue8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dpskperf.dll
C:\WINDOWS\system32\dpskperf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f2l02c3mgf.dll
C:\WINDOWS\system32\f2l02c3mgf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp04l3dq1.dll
C:\WINDOWS\system32\gp04l3dq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j6p0lg7m16.dll
C:\WINDOWS\system32\j6p0lg7m16.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p8n80i5ue8.dll
C:\WINDOWS\system32\p8n80i5ue8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\slgina.dll
C:\WINDOWS\system32\slgina.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\umrvpa.dll
C:\WINDOWS\system32\umrvpa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wb2_32.dll
C:\WINDOWS\system32\wb2_32.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D2496A22-5B19-4300-93E7-DCB7ACDA1395}"
HKCR\Clsid\{D2496A22-5B19-4300-93E7-DCB7ACDA1395}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{347135EE-F7DF-49E6-BC66-BD51B06F8F75}"
HKCR\Clsid\{347135EE-F7DF-49E6-BC66-BD51B06F8F75}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{45326E62-8B84-4EBE-A624-71F244457C13}"
HKCR\Clsid\{45326E62-8B84-4EBE-A624-71F244457C13}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 11:02:40 PM, on 4/3/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable Command Service (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\Michael\LOCALS~1\Temp\~DF590F.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.





Logfile of HijackThis v1.99.1
Scan saved at 11:06:47 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [w0912662.dll] RUNDLL32.EXE w0912662.dll,I2 00014d1300912662
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125239444359
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe



Also wanted to mention that on every boot I get the following message:

Error loading w0912662.dll
The specified module could not be found


Not sure if it's related to what we are working on but just wanted to mention it since it started the same time my virus/look2me problem occurred. Virus was Spyware Quake 2.0. I think I got that removed okay from Nick's Computer Security instructions but all problems have started since this infection!

Thanks a ton for the help so far!!!!

[tetonbob]

Ok, now for round 2.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
Download the file attached to this post. - sffix.zip
Double click on the file within & follow the prompts given

Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

---------------------------------------------------------------------------------------------


Download and install CleanUp!
NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64. Download & run this tool to find out for sure.....

http://www.kellys-korner-xp.com/regs...p_whichcpu.exe


---------------------------------------------------------------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, Do Not at this time

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [w0912662.dll] RUNDLL32.EXE w0912662.dll,I2 00014d1300912662
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll



---------------------------------------------------------------------------------------------


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\WINDOWS\SYSTEM32\winowl32.dll
w0912662.dll<<<Find via Start<Search (it's likely gone, and your error message should be also after reboot)

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

Ewido
Kaspersky
HJT


How is your system behaving now, please?

[mrichardson2]

Okay, just want to confirm and ask a couple questions before I begin this procedure tonight after work:

1) Download sffix.zip, extract, run and follow instructions.

2) I already installed Ewido a couple days ago (14 day trial I think)

Quote:

When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Not sure how I did this. Should I uninstall and re-install???

Whatever you say on that, make sure Ewido is updated but do not run yet, right?

3) Download, install and run CleanUp! per your instructions, then reboot into Safe Mode.

BEGIN SAFE MODE

4) Run HJT, fix items listed in your reply (if found) Save log.

5) Close all windows, now run Ewido, clean items it finds and save the report.

6) I already have the following options (always have them like this):

Quote:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

7) Delete the following files: winowl32.dll and w0912662.dll. Look in System32 folder or do a search (delete if I find them) I'm still in Safe Mode, correct?

END SAFE MODE

8)

Quote:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

This will require a normal restart, correct?

Follow instructions you posted regarding Kaspersky Scanner. Save the report - it is what you are after.

9) Run a new HijackThis scan. Save the log file and post it.

10) Post log results from the following:

Ewido
Kaspersky
HJT (I will post both runs of this)


Does this look right? What do you want me to do regarding Ewido already being installed on my system?

Thanks!!!!!!!!!!!!!!

[tetonbob]

Hi mrichardson, sorry for any mixup.

Quote:

Originally Posted by mrichardson2

Okay, just want to confirm and ask a couple questions before I begin this procedure tonight after work:

1) Download sffix.zip, extract, run and follow instructions.

Yes

2) I already installed Ewido a couple days ago (14 day trial I think)

When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Not sure how I did this. Should I uninstall and re-install???

No, the Guard does not appear active.

Whatever you say on that, make sure Ewido is updated but do not run yet, right?

Yes

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

3) Download, install and run CleanUp! per your instructions, then reboot into Safe Mode.

Yes

BEGIN SAFE MODE

4) Run HJT, fix items listed in your reply (if found) Save log.

No Log saved here, run the scan and fix the items.

5) Close all windows, now run Ewido, clean items it finds and save the report.

6) I already have the following options (always have them like this):

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

All good

7) Delete the following files: winowl32.dll and w0912662.dll. Look in System32 folder or do a search (delete if I find them) I'm still in Safe Mode, correct?

Safe mode, correct. winowl32.dll would be in system32 if still present

w0912662.dll shows no location, so if it's still on the system, which I doubt due to the message you receive at startup, will have to looked for via start>search

END SAFE MODE

8) Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

This will require a normal restart, correct?

Correct....my bad, forgot to put that part in the fix. Sorry.

Follow instructions you posted regarding Kaspersky Scanner. Save the report - it is what you are after.

Yes

9) Run a new HijackThis scan. Save the log file and post it.

10) Post log results from the following:

Ewido
Kaspersky
HJT (I will post both runs of this) Only the last HJT log, saved after all the other work is complete is required

That's it, again, apologies for any confusion I may have caused. More chocolate and caffeine required.

Does this look right? What do you want me to do regarding Ewido already being installed on my system?

Thanks!!!!!!!!!!!!!!

Any other questions, please ask.

[mrichardson2]

Okay here are the results you requested. Also, I have questions regarding the online scan done with Kaspersky. If you could comment on the items it found under F:\Archive Disk 1\ These are old games I don't have installed that I've had for years. Are they ruined by some adware? Should I delete them instead of keeping them? Mahjong is really the only one I care about but if it will cause problems, forget it! Also, I hope I didn't cause problems, but I installed BitTorrent last night after I missed my favorite TV show (24) It didn't occur to me that it might cause a problem until later!! Hope I didn't make anything more difficult!!!

Here are the reports:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:26:21 PM, 4/4/2006
+ Report-Checksum: E9E03D3B

+ Scan result:

[272] C:\WINDOWS\system32\winowl32.dll -> Trojan.Agent.qt : Cleaned without backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned without backup
C:\WINDOWS\system32\AdServ.dll -> Trojan.Agent.qt : Cleaned without backup
C:\WINDOWS\system32\winowl32.dll -> Trojan.Agent.qt : Cleaned without backup


::Report End



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, April 04, 2006 9:38:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 5/04/2006
Kaspersky Anti-Virus database records: 186258
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
N:\

Scan Statistics:
Total number of scanned objects: 123752
Number of viruses found: 20
Number of infected objects: 50
Number of suspicious objects: 0
Duration of the scan process: 00:45:35

Infected Object Name / Virus Name / Last Action
C:\bintheredunthat\sk02.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\bintheredunthat\sk02.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michael\My Documents\My Downloads\BitTorrent\BitTorrent-Stable.exe/stream/data0009 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Michael\My Documents\My Downloads\BitTorrent\BitTorrent-Stable.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Michael\My Documents\My Downloads\BitTorrent\BitTorrent-Stable.exe NSIS: infected - 2 skipped
C:\Program Files\BitTorrent\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\BitTorrent\uninstall.exe NSIS: infected - 2 skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/instGamehouse.exe Infected: not-a-virus:AdWare.Win32.Comet.ao skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/CSBand.dll Infected: not-a-virus:AdWare.Win32.Comet.x skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csbho.dll Infected: not-a-virus:AdWare.Win32.Comet.q skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/cscore.dll Infected: not-a-virus:AdWare.Win32.Comet.b skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csctx.dll Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/cseng.dll Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csietb.dll Infected: not-a-virus:AdWare.Win32.Comet.ai skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/skinui.dll Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/comet.exe Infected: not-a-virus:AdWare.Win32.Comet.c skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csbrange.dll Infected: not-a-virus:AdWare.Win32.Comet.q skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/fileutil.dll Infected: not-a-virus:AdWare.Win32.Comet.o skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csutil.dll Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csapputil.dll Infected: not-a-virus:AdWare.Win32.Comet.q skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csinst.dll Infected: not-a-virus:AdWare.Win32.Comet.h skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/comutil.dll Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/cstray.exe Infected: not-a-virus:AdWare.Win32.Comet.p skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csres.dat Infected: not-a-virus:AdWare.Win32.Comet.au skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN/csadzap.dll Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe/WISE0045.BIN Infected: not-a-virus:AdWare.Win32.Comet.v skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe WiseSFX: infected - 19 skipped
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe WiseSFX Dropper: infected - 19 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/regwebh.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/wbhshare.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/whiedc.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/whieshm.dll Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.WebHancer.16 skipped
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe WiseSFX: infected - 9 skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0033/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0033/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0033/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0033/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0033/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0033 Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0034 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0035/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0035/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe/data0035 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe NSIS: infected - 10 skipped

Scan process completed.






Logfile of HijackThis v1.99.1
Scan saved at 9:40:20 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125239444359
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

Thanks for all the help so far!

PS - Computer is running much better. Not seeing pop-ups at all, also internet speed is good. Programs opening quick, just like before.

By the way, I noticed this:

O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)

in my last HJT log. I did run and fix those items earlier (you listed 7 and I checkmarked 7) and I did have that checked to be fixed. Also, you had me search for 2 files and delete them if I found them but I did not find them. (winowl32.dll was one, the other was w0912662.dll) My error message at Windows Startup about the missing .dll is gone now too.

Thanks!

[tetonbob]

Run a scan in HijackThis. Check the following and hit 'Fix checked' if they still exist (make sure not to miss any):

O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)

---------------------------------------------------------------------------------------------

Run another scan to see if it's really gone. Let me know if it seems to stick.


Yes, you should get rid of those programs and files in F. They appear to be infected with adware.


Delete the following if they exist:

C:\bintheredunthat\
F:\Archive Disk 1\Games\MahjongInstall-Starware.exe
F:\Archive Disk 1\Programs\MP3 Decoders\setupmp3towav.exe
F:\Archive Disk 1\Programs\NeoAudio 1.62\setupneoaudio.exe

If they resist deletion, boot to safe mode and delete from there.

---------------------------------------------------------------------------------------------

Once you've done this, and we're sure that O20 entry is gone, I'll post some final instructions, as you're in pretty good shape now.

[mrichardson2]

Okay, I cleaned out the O20 entry in HJT and delete the other files on the F: drive without problem. I also read your tutorial and downloaded (but have not yet installed) the following:

SpyWare Blaster
SpyWare Guard
RegSeeker
HOSTS
IE-SPYAD2 (I have multiple users)

When this is all done, please advise me on the following:

1. I have 4 users (me, wife, mother-in-law, and 5 year old son!) Will I have to install and manage each account seperately? (ie, run blaster/guard/HOSTS/IESPYAD2, etc) I assume I don't need to run HJT or virus scans from the other accounts, right?

2. I have a router with firewall but I do not run a software firewall like ZoneAlarm (Windows Firewall is on but doesn't block OUTBOUND traffic either right?) I used to use ZA but always seemed to have issues with it. I think I need to go back and use it because my router is nice (LinkSYS) but was about $40 online - definately not a high end router that probably stops OUTBOUND. What is your advice here?

3. This whole problem started when I downloaded a questionable file. AVG did not detect the virus (SpyWare Quake) when I started the download (it has caught things before) After it was downloaded BUT BEFORE I OPENED IT, I scanned it again - still nothing (AVG was updated minutes before downloaded file) I just don't see how it got through. Could I have done something different? Do some viruses just elude detection?

Thanks so much for all your help! I have been spreading the word on this site around my office and will be over to donate some money soon! This is so worth it, your service is amazing! I wish all things on the internet were this effective, efficient and helpful. This is truely a SERVICE! FANTASTIC!!!



Here's the latest HJT log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 9:33:30 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125239444359
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe



3.

[tetonbob]

Quote:

Originally Posted by mrichardson2

Okay, I cleaned out the O20 entry in HJT and delete the other files on the F: drive without problem. I also read your tutorial and downloaded (but have not yet installed) the following:

SpyWare Blaster
SpyWare Guard
RegSeeker
HOSTS
IE-SPYAD2 (I have multiple users)

When this is all done, please advise me on the following:

1. I have 4 users (me, wife, mother-in-law, and 5 year old son!) Will I have to install and manage each account seperately? (ie, run blaster/guard/HOSTS/IESPYAD2, etc) I assume I don't need to run HJT or virus scans from the other accounts, right?

A wise thing to do would be to make sure the 5 year old's account is not an Admin account, in Control Panel, User Accounts. Make it a Limited account if it isn't already.

A HJT log from each account would be prudent, but the other scanners and tools are global, as long as they are installed from an Admin account. You may want to check that SpywareBlaster's protections are enabled on all accounts. IESPYAD2 is designed for multi-account systems, so you're covered there.

2. I have a router with firewall but I do not run a software firewall like ZoneAlarm (Windows Firewall is on but doesn't block OUTBOUND traffic either right?) I used to use ZA but always seemed to have issues with it. I think I need to go back and use it because my router is nice (LinkSYS) but was about $40 online - definately not a high end router that probably stops OUTBOUND. What is your advice here?

I use ZA Pro, and once I got used to it, can't think of a better one, but that's opinion. A hardware router is supposed to be as or more secure, placing a software firewall behind it even better. Again, opinions vary on that. Yes, Windows Firewall doesn't monitor Outbound traffic.

3. This whole problem started when I downloaded a questionable file. AVG did not detect the virus (SpyWare Quake) when I started the download (it has caught things before) After it was downloaded BUT BEFORE I OPENED IT, I scanned it again - still nothing (AVG was updated minutes before downloaded file) I just don't see how it got through. Could I have done something different? Do some viruses just elude detection?

Some malware makes it past AV programs because it's not exactly a virus. Too much to go into in this space. That's why a multi-layered approach such as what you're now implementing works much better. The best security is you, the user. Never download questionable files. If you have doubts, you can upload such files to a site such as www.jotti.org where it will be scanned by many engines, before executing such files.

Thanks so much for all your help! I have been spreading the word on this site around my office and will be over to donate some money soon! This is so worth it, your service is amazing! I wish all things on the internet were this effective, efficient and helpful. This is truely a SERVICE! FANTASTIC!!!



Here's the latest HJT log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 9:33:30 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125239444359
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe



3.

Your log is clean. Some of the following info will be repetitive, but we have some housekeeping to do as well. I'm not expecting much in the other HJT logs, but go ahead and post them, and separate them by name, please.

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[mrichardson2]

All set, Zone Alarm up and running, SpyWare Guard up and running. Added HOSTS and IE-SPYAD restricted web sites.

Everything running great. I did run and find some more adware with Spybot S&D so I just removed it.

Didn't understand the TeaTimer thing though. I looked around SpyBot S&D but couldn't find out how to turn it on (maybe it's already on??)

Anyway, situation back to normal - thanks for all the help.

-Mike

[tetonbob]

For TeaTimer, Open the program, Click on Mode>Advanced, tell it yes. Now go to Tools->Resident and click to open.

Tick the TeaTimer box. Also make sure the "SDHelper" box is ticked.

I'll leave this open till I know you've got it.

Let me know.

[mrichardson2]

Okay, found TeaTimer and SD Helper - both are checked and Resident is running in my task bar by the clock.

1 more question - everytime I run SpyBot S&D, it finds the same entries:

CoolWWWSearch
Smitfraud-C.

Are these a concern? Will running TeaTimer & SD Helper help to prevent them?

Thanks again for all your help - I feel much better and much more informed about protecting my PC(s)

[tetonbob]

Those are probably orphaned registry entries....but can you be more specific as to the registry location or any file names SpyBot is coming up with?

You've tried fixing them, and they return?

[mrichardson2]

Okay, got everything up and running. Ran S&D and cleaned out those two problems, restarted, played around awhile and rescanned. They did not come back.

Thanks for all your help!