Explorer freezing, Computer extremely slow.

Radja40 · 04-19-2006, 12:18 PM

Thank you in advanced to anyone who can help me with this. Explore has been freezing or else taking a long time to load any page. As an example, when I was trying to download spybot, I had to restart Explorer 3-4 times and it took forever to finally download. Additionally, just opening any file on the computer takes an extremely long time.

I followed all the guidelines in your " Please, Read This Before Posting A Hijackthis Log." Below is a copy of my HJT Log.

Again, thank you in advanced.

Logfile of HijackThis v1.99.1
Scan saved at 3:04:40 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINNT\YourMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - {D130684D-DE4E-5C60-17D9-2103C003A73E} - C:\WINNT\Ihcqtius.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSystemProtect] "C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignprotect.exe" /Startup
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [fyrdpq] C:\WINNT\system32\gscb\fyrdpq.exe
O4 - HKLM\..\Run: [hclna] C:\WINNT\system32\ouyngvxf\hclna.exe
O4 - HKLM\..\Run: [cbaa474e8f1e] C:\WINNT\system32\clbcatq8.exe
O4 - HKLM\..\Run: [sPbKAt] "C:\WINNT\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [nkyjih] c:\winnt\system32\nkyjih.exe -start
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINNT\YourMonitor
O4 - HKLM\..\Run: [voiiya] C:\WINNT\system32\nrfgwp.exe r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [ovtmkr] c:\winnt\system32\xtkpalh.exe r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [gdzcpku] C:\WINNT\System32\ibujtg.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [WeatherCast] "C:\PROGRA~1\WEATHE~1\Weather.exe" /q
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [prwinsta.exe] C:\WINNT\System32\prwinsta.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123364265156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145472866651
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4739/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing)
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: fyrdpqgscb - Unknown owner - C:\WINNT\system32\gscb\fyrdpq.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

Radja40 · 04-20-2006, 08:38 AM

Bump.

greyknight17 · 04-20-2006, 12:55 PM

Did you run Ad-aware SE yet? If not, run it now...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you might get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on start update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ).

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: (no name) - {D130684D-DE4E-5C60-17D9-2103C003A73E} - C:\WINNT\Ihcqtius.dll (file missing)
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSystemProtect] "C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignpr otect.exe" /Startup
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",Ve rifyStatus
O4 - HKLM\..\Run: [fyrdpq] C:\WINNT\system32\gscb\fyrdpq.exe
O4 - HKLM\..\Run: [hclna] C:\WINNT\system32\ouyngvxf\hclna.exe
O4 - HKLM\..\Run: [cbaa474e8f1e] C:\WINNT\system32\clbcatq8.exe
O4 - HKLM\..\Run: [sPbKAt] "C:\WINNT\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [nkyjih] c:\winnt\system32\nkyjih.exe -start
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [YourMonitor] C:\WINNT\YourMonitor
O4 - HKLM\..\Run: [voiiya] C:\WINNT\system32\nrfgwp.exe r
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [ovtmkr] c:\winnt\system32\xtkpalh.exe r
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [gdzcpku] C:\WINNT\System32\ibujtg.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKCU\..\Run: [WeatherCast] "C:\PROGRA~1\WEATHE~1\Weather.exe" /q
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [prwinsta.exe] C:\WINNT\System32\prwinsta.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: fyrdpqgscb - Unknown owner - C:\WINNT\system32\gscb\fyrdpq.exe (file missing)

Uninstall these via the Add/Remove panel.

WinTools
Viewpoint
WhenU
Acceleration Software
ClockSync
AdStatus Service
System Soar Pro
WeatherCast
TagASaurus

Locate and delete the following:

C:\PROGRA~1\AUTOUP~1\
C:\PROGRA~1\COMMON~1\WinTools\
C:\PROGRA~1\Toolbar\
C:\PROGRA~1\WEATHE~1\
C:\Program Files\Acceleration Software\
C:\Program Files\AdStatus Service\
C:\Program Files\ClockSync\
C:\Program Files\Common Files\Dpi\
C:\Program Files\Common files\updmgr\
C:\Program Files\Media\
C:\Program Files\snss\
C:\Program Files\System Soap Pro\
C:\Program Files\TagASaurus\
C:\Program Files\Viewpoint\
C:\Program Files\WhenUSearch\
C:\WINNT\bxxs5.dll
C:\WINNT\system32\clbcatq8.exe
C:\WINNT\system32\cxtpls_loader.EXE
C:\WINNT\system32\gscb\
C:\WINNT\System32\ibujtg.exe
C:\WINNT\System32\IEDriver\
C:\WINNT\System32\msiefr40.dll
c:\winnt\system32\nkyjih.exe
C:\WINNT\system32\nrfgwp.exe
C:\WINNT\system32\ouyngvxf\
C:\WINNT\System32\prwinsta.exe
C:\WINNT\System32\vmss\
C:\WINNT\System32\wsxsvc\
c:\winnt\system32\xtkpalh.exe
C:\WINNT\ttupt.exe
C:\WINNT\uptodate.exe
C:\WINNT\YourMonitor

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run Ewido now:
* Click on scanner and then Settings. Under 'What to scan' select 'Scan every file' and hit OK.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action with all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'. Save it to your desktop.

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.

Radja40 · 04-21-2006, 09:51 AM

Thank you for your help. The HJT log and Ewido log are posted below. I followed all your steps, but the computer, specifically explorer, don't seem to be running any faster.
One question the steps that you had me do. All of items you said to uninstall in the add/remove panel were not there, and I couldn' find most the files you said to delete. Is this normal or did I do something wrong?

Logfile of HijackThis v1.99.1
Scan saved at 12:40:58 PM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\Computer Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/game...ts/y/bt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123364265156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145472866651
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:40:26 PM, 4/21/2006
+ Report-Checksum: BA74D5EB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{20374257-B13F-850D-AEF3-C0AD96C41034} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000} -> Adware.ActivShopper : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\HbTools -> Adware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools -> Adware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI -> Adware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Hotbar -> Adware.HotBar : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\Installer -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\upgrades -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\blackjack -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\blackjackdll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\boardbabe -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\caribbeanpoker -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\client -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\coolbananas -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\flamingo -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\funkychicken -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\games -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\goannagold -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\goldeneagle -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\goldengopher -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\highlimitblackjack -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\hotroller -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\junglerumble -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\kangacash -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\kenodll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\kookakeno -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\letitride -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\magicmanslot -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\megaeuropeanroulette -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\metropolis -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\multiplayerblackjack -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\multiplayerblackjackdll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\nextgenvpdll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\piggypayback -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\pokerdll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\predatorslot -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\roulettedll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\safecrackerkeno -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\silvercity -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\slotsdll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\threecardpoker -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\tod -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\upgrader -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vegasclub -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\videopokerdll -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vpokerdw -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vpokerjob -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vpokerjp -> Adware.AceClubCasino : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053229.dll -> Adware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053236.dll -> Adware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053240.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053241.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053242.dll -> Adware.Relevance : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP214\A0053298.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINNT\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UFI18V87\!update-2264[1].0000 -> Downloader.PurityScan.y : Cleaned with backup
C:\WINNT\system32\Osaka.exe -> Adware.PurityScan : Cleaned with backup

::Report End

Ried · 04-21-2006, 08:18 PM

Hello Radja40,

You didn't do anything wrong.

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

We need the HijackThis scan done in Normal Mode. Please run another scan with HijackThis and post it here along with the results of the Panda scan.

I'd also like to see the following:

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

Radja40 · 04-23-2006, 05:53 AM

Below are the three logs that you requested. Thank you for your help.

Incident
Status Location

Potentially unwanted tool:application/funweb
Not disinfected C:\WINNT\DOWNLOADED PROGRAM
FILES\f3initialsetup1.0.0.8.inf
Adware:adware/cws.searchmeup
Not disinfected C:\WINNT\SYSTEM32\bose.ico
Spyware:spyware/whazit
Not disinfected C:\WINNT\SYSTEM32\fiz1
Adware:adware/navipromo
Not disinfected C:\WINNT\SYSTEM32\msegcompid.dll
Adware:adware/dealhelper
Not disinfected C:\WINNT\dsearch1.bin
Adware:adware/gator
Not disinfected C:\WINNT\GatorGainInstaller.log
Adware:adware/adurl
Not disinfected C:\WINNT\icont.exe
Adware:adware/delfinmedia
Not disinfected C:\keys.ini
Adware:adware/downloadware
Not disinfected C:\PROGRAM FILES\DownloadWare(2)
Adware:adware/novo
Not disinfected C:\WINNT\SYSTEM32\CdmFiles
Adware:adware/activshopper
Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch
Not disinfected
HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Potentially unwanted tool:application/errorguard
Not disinfected
HKEY_CLASSES_ROOT\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}
Adware:adware/sahagent
Not disinfected Windows Registry
Spyware:Cookie/24/7 Realmedia
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@247realmedia[1].txt
Spyware:Cookie/2o7
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/YieldManager
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@adrevolver[1].txt
Spyware:Cookie/Adrevolver
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/PointRoll
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Apmebf
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Bilbo.counted
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@bilbo.counted[1].txt
Spyware:Cookie/Bluestreak
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/bravenetA
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@bravenet[2].txt
Spyware:Cookie/Zedo
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@c5.zedo[1].txt
Spyware:Cookie/Casalemedia
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Com.com
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Doubleclick
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/Entrepreneur
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@entrepreneur[1].txt
Spyware:Cookie/FastClick
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@fastclick[1].txt
Spyware:Cookie/Hitbox
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/Maxserving
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@maxserving[2].txt
Spyware:Cookie/Mediaplex
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@mediaplex[2].txt
Spyware:Cookie/Overture
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@overture[2].txt
Spyware:Cookie/Overture
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/QkSrv
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
Spyware:Cookie/Statcounter
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@statcounter[1].txt
Spyware:Cookie/Tribalfusion
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Adserver
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@z1.adserver[1].txt
Spyware:Cookie/Zedo
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@zedo[1].txt
Spyware:Cookie/24/7 Realmedia
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@247realmedia[1].txt
Spyware:Cookie/2o7
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/YieldManager
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@adrevolver[1].txt
Spyware:Cookie/Adrevolver
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/PointRoll
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Apmebf
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Bilbo.counted
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@bilbo.counted[1].txt
Spyware:Cookie/Bluestreak
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/bravenetA
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@bravenet[2].txt
Spyware:Cookie/Zedo
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@c5.zedo[1].txt
Spyware:Cookie/Casalemedia
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Com.com
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Doubleclick
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/Entrepreneur
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@entrepreneur[1].txt
Spyware:Cookie/FastClick
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@fastclick[1].txt
Spyware:Cookie/Hitbox
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/Maxserving
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@maxserving[2].txt
Spyware:Cookie/Mediaplex
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@mediaplex[2].txt
Spyware:Cookie/Overture
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@overture[2].txt
Spyware:Cookie/Overture
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/QkSrv
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
Spyware:Cookie/Statcounter
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@statcounter[1].txt
Spyware:Cookie/Tribalfusion
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Adserver
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@z1.adserver[1].txt
Spyware:Cookie/Zedo
Not disinfected C:\Documents and
Settings\Owner\Cookies\owner@zedo[1].txt
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\3C3851CA-772D-44F9-97CE-FEE9F9
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\C3A4A85E-739C-458D-B453-6CCB65
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\F1ACF35A-6E36-484F-B17A-80637C
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\F3ACAB4B-A705-40BC-B568-9FD7E7
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\BBD769B0-84C1-4E52-A4D3-33D9AB
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\DB4F1A98-5CE9-4FAD-B284-90CFAB
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\E56D3DF2-8AAD-4495-BCB4-F73145
Adware:Adware/Exact.BargainBuddy
Not disinfected C:\Program Files\Microsoft
AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\F6A95355-9143-4A67-900F-9F456A
Adware:Adware/ActivShopper
Not disinfected C:\Program Files\TBONAS\TBONcomp.dll
Potentially unwanted tool:Application/FunWeb
Not disinfected C:\WINNT\Downloaded Program
Files\f3initialsetup1.0.0.8.inf
Spyware:Spyware/SafeSurf
Not disinfected C:\WINNT\system32\InstallerV4.exe
Adware:Adware/PurityScan
Not disinfected C:\WINNT\system32\??sembly\winspool.exe
Adware:Adware/PurityScan
Not disinfected C:\WINNT\system32\??sembly\wuauboot.exe

Ad-Aware SE Personal
Adobe Acrobat 5.0
AltaVista FreeAccess
America Online (Choose which version to remove)
ArcSoft PhotoImpression
BroadJump Client Foundation
CardRd81
CCScore
CleanUp!
CR2
Do More 7.0
DVD
eAcceleration
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
EPSON User's Guide
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvcpt
ESSvpaht
ESSvpot
ewido anti-malware
Gateway Drivers and Applications Recovery
Gateway Ink Monitor
Gateway Rhapsody
Google Earth
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPSFO
IE Host R3
Intel(R) 537EP Data Fax Modem
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft AntiSpyware
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Learning and Research Plus Support Files
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Monitor 1.0
Mozilla Firefox (1.0.4)
MSN Internet Software
MSXP 1.0
MUSICMATCH® Jukebox
nkyjih
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Panda ActiveScan
PC-Doctor for Windows
PhotoShow Express 4
pressplay
PS/2 Millennium Keyboard
Quicken 2003 New User Edition
QuickTime
RealPlayer Basic
SBC Self Support Tool
SBC Yahoo! Applications
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SFR
SFR2
SHASTA
SKIN0001
SKINXSDK
Snood for Windows version 3.0-W
Spybot - Search & Destroy 1.4
Stop-Sign System Protect
SysSnap
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Visual IP InSight(SBC)
VPRINTOL
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WIRELESS
YourEnhance 1.0

Plain Text Attachment [ Download File | Save to Yahoo! Briefcase ]

Logfile of HijackThis v1.99.1
Scan saved at 2:20:08 PM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Computer
Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program
Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music
Engine\ymetray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual
Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe
/DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway
Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program
Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC
Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: SBC Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file
missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks -
http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Yahoo! Backgammon -
http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack -
http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Bridge -
http://download.games.yahoo.com/game...ts/y/bt1_x.cab
O16 - DPF: Yahoo! Chess -
http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Hearts -
http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire -
http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Towers 2.0 -
http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer -
http://download.games.yahoo.com/game...ts/y/wt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D}
(DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
- http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsu...?1123364265156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://update.microsoft.com/microsof...?1145472866651
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX
6.5) -
http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
- http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/is...39/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Unknown owner - C:\Program
Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner -
C:\WINNT\system32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown
owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner -
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. -
C:\WINNT\system32\YPCSER~1.EXE

Ried · 04-23-2006, 08:48 AM

Hello Radja40,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions.

Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the Microsoft AntiSpyware icon located in the system tray
Click on Security Agents Status (Enabled)
Click on Disable Real-time Protection

---------------------------

Reboot into Safe Mode. (tapping F8 ro F5)

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

eAcceleration
nkyjih
Stop-Sign System Protect
YourEnhance 1.0

---------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}]

[-HKEY_CLASSES_ROOT\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}]

Save the file as "delete.reg" . **Make sure to save it with the quotes. Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------

Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK.

Delete the following Files and Folders:

C:\WINNT\DOWNLOADED PROGRAM FILES\ f3initialsetup1.0.0.8.inf
C:\WINNT\SYSTEM32\ bose.ico
C:\WINNT\SYSTEM32\ msegcompid.dll
C:\WINNT\ dsearch1.bin
C:\WINNT\ GatorGainInstaller.log
C:\WINNT\ icont.exe
C:\ keys.ini
C:\WINNT\system32\ InstallerV4.exe
C:\WINNT\system32\ ??sembly\winspool.exe <--The ?? can be any character. Look for winspool.exe and delete the folder you find it in.
C:\Program Files\ TBONAS
C:\Program Files\ eacceleration
C:\Program Files\ nkyjih
C:\Program Files\ Stop-Sign System Protect
C:\Program Files\ YourEnhance 1.0
C:\PROGRAM FILES\ DownloadWare(2)
C:\WINNT\SYSTEM32\ CdmFiles
C:\WINNT\SYSTEM32\ fiz1

Click Start>Run and copy/paste regsvr32 occache.dll and click OK.

---------------------------

Run CleanUp again. Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

---------------------------

Run Ewido again with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

---------------------------

Reboot into Normal Mode

---------------------------

Run another scan at Panda and post the results here along with the Ewido results and a new HijackThis log from Normal Mode.

Radja40 · 04-24-2006, 11:53 AM

Thanks again for your help. The logs are posted below. I had two issues with the steps that you gave me.
1. I could not find the file C:\keys.ini
2. I removed the YourEnhance 1.0 file from the add/remove panel, but it is still on my computer after I rebooted.

Please let me know what else needs to be done.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 2:48:10 PM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Computer Tools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/game...ts/y/bt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123364265156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145472866651
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

Incident Status Location

Spyware:spyware/whazit Not disinfected c:\winnt\system32\fiz1
Adware:adware/delfinmedia Not disinfected c:\keys.ini
Potentially unwanted tool:application/funweb Not disinfected hkey_current_user\software\Fun Web Products
Adware:adware/navipromo Not disinfected Windows Registry
Spyware:spyware/safesurf Not disinfected Windows Registry
Adware:adware/novo Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/sahagent Not disinfected Windows Registry
Adware:adware/activshopper Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:28:13 PM, 4/24/2006
+ Report-Checksum: 65EE7A84

+ Scan result:

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP214\A0053391.exe -> Adware.PurityScan : Cleaned with backup

::Report End

Ried · 04-24-2006, 08:06 PM

Hi Radja,

Please copy these instructions to Notepad and save it to your desktop for reference.

-----------------------------

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK

-----------------------------

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

-----------------------------

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

-----------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------

Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the Microsoft AntiSpyware icon located in the system tray
Click on Security Agents Status (Enabled)
Click on Disable Real-time Protection

-----------------------------

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

-----------------------------

Delete the following files and folders if they still exist:

c:\winnt\system32\fiz1
c:\keys.ini
C:\Documents and Settings\Administrator\My Documents\Data
C:\Documents and Settings\Default User\My Documents\Data

-----------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad:

REGEDIT4

[-hkey_current_user\software\Fun Web Products]

[-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]

Save the file as "delete.reg" . **Make sure to save it with the quotes. Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

-----------------------------

Reboot into Normal Mode.

-----------------------------

Run another online scan at Panda and post the results here along with the entire contents of the log.txt file in the aproposfix folder.

How is your system behaving now?

Radja40 · 04-25-2006, 01:14 PM

Thanks for your help. The computer seems to be running a lot better, although my mom told me that it crashed on her twice. Below are the two things you asked for.

Incident Status Location

Adware:adware/navipromo Not disinfected Windows Registry
Spyware:spyware/safesurf Not disinfected Windows Registry
Adware:adware/novo Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:adware/sahagent Not disinfected Windows Registry
Adware:adware/activshopper Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bilbo.counted[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Cookies\owner@clickbank[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Owner\Cookies\owner@linksynergy[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Owner\Cookies\owner@targetnet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\3C3851CA-772D-44F9-97CE-FEE9F9
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\C3A4A85E-739C-458D-B453-6CCB65
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\F1ACF35A-6E36-484F-B17A-80637C
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\F3ACAB4B-A705-40BC-B568-9FD7E7
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\BBD769B0-84C1-4E52-A4D3-33D9AB
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\DB4F1A98-5CE9-4FAD-B284-90CFAB
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\E56D3DF2-8AAD-4495-BCB4-F73145
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\F6A95355-9143-4A67-900F-9F456A
Possible Virus. Not disinfected C:\Program Files\SBC Self Support Tool\bin\closeAll.exe
Possible Virus. Not disinfected C:\Program Files\Yahoo!\browser\ybcBrowser.dll
Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe]
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[install_tag002.exe]
Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe]
Possible Virus. Not disinfected C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE2BAVW3\ctxad-313[1].0000[NDrv.dll]

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\Computer Tools\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn]

[HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn\CtxPlus]
"TotalAttempts"=dword:00000001
"URL"="http://dl6.contextplus.net/storage/cpi/2.0.20/CP.AOP2/<<try>>/CPI.2-0-81.20050918085722.2F863C54"
"FileName"="C:\\WINNT\\TEMP\\auf0.exe"
"DownloadAttempts"=dword:00000001
"Content-Length"=dword:0019b05b

[HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn\TH]
@=""

************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\LzPg4AzFJjFD8REXUn]
[-HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn]

Done!

Finished!

Ried · 04-25-2006, 08:08 PM

Hi Radja40,

The logs are clean, just some tidying up to do.

Download Ccleaner. Install it, but do not run it yet.

---------------------------------

Reboot into Safe Mode.

---------------------------------

Please disable Microsoft AntiSpyware if it is running, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the Microsoft AntiSpyware icon located in the system tray
Click on Security Agents Status (Enabled)
Click on Disable Real-time Protection

---------------------------------

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key and delete the file/folder/entry I highlighted in RED

hkey_classes_root\clsid\ {9AFB8248-617F-460d-9366-D71CDEDA3179}

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

---------------------------------

Clear Internet Explorer Cookies:
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

---------------------------------

Empty Microsoft AntiSpyware\Quarantine

---------------------------------

Empty your Recycle Bin.

---------------------------------

Run Ccleaner:

Click on the 'Issues' tab to clean registry. Be sure that box is checked to 'prompt to backup registry' in the Options>Advanced section.

Click 'Analyze', then 'Fix Issues'

---------------------------------

Reboot into Normal Mode.

---------------------------------

Quote:

although my mom told me that it crashed on her twice.

Can you tell me what she was doing when that happened? Did the computer 'crash' or 'freeze'? Does she remember if she saw any error messages?

Radja40 · 04-26-2006, 10:30 AM

Thanks for all your help. I ran through all the steps you posted. The computer seems to be running fine to me.
In regards to the computer crashing on my mom, she said that it crashed and a message came up something like "If this has happened before and you recently installed a new program, please uninstall it now." I haven't seen this happen and we haven't installed any programs except the ones this forum asked us to, so I don't really know what to make of that.
Thanks again.

Ried · 04-26-2006, 06:36 PM

Hi Radja40,

If it happens again, take note of the program that is having the problem. It may help to uninstall and reinstall it. If it keeps recurring, you may want to post the issue in the Windows XP section of this forum.

Please keep CleanUp and Ewido.

Run CleanUp periodically, with the settings I gave you, to keep the system clutter free.

You will need to keep Ewido updated with the latest definition files. (At the minimum, check for updates bi-weekly)
*On the left hand side of the main screen click update.
*Then click on Start Update.
The update will start and a progress bar will show the updates being installed.

*************************************

Your logs are clean.

Please continue with these final instructions and helpful links.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Please respond one more time and let us know if we can mark this as resolved.

04-19-2006, 12:18 PM	#1 (permalink)
Radja40 Registered User Join Date: May 2005 Posts: 14 OS: Win XP	Explorer freezing, Computer extremely slow. Thank you in advanced to anyone who can help me with this. Explore has been freezing or else taking a long time to load any page. As an example, when I was trying to download spybot, I had to restart Explorer 3-4 times and it took forever to finally download. Additionally, just opening any file on the computer takes an extremely long time. I followed all the guidelines in your " Please, Read This Before Posting A Hijackthis Log." Below is a copy of my HJT Log. Again, thank you in advanced. Logfile of HijackThis v1.99.1 Scan saved at 3:04:40 PM, on 4/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\WINNT\YourMonitor.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINNT\system32\svchost.exe C:\WINNT\wanmpsvc.exe C:\WINNT\system32\wscntfy.exe C:\WINNT\system32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\WINNT\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R3 - URLSearchHook: (no name) - {D130684D-DE4E-5C60-17D9-2103C003A73E} - C:\WINNT\Ihcqtius.dll (file missing) F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k O4 - HKLM\..\Run: [StopSignSystemProtect] "C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignprotect.exe" /Startup O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe" O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus O4 - HKLM\..\Run: [fyrdpq] C:\WINNT\system32\gscb\fyrdpq.exe O4 - HKLM\..\Run: [hclna] C:\WINNT\system32\ouyngvxf\hclna.exe O4 - HKLM\..\Run: [cbaa474e8f1e] C:\WINNT\system32\clbcatq8.exe O4 - HKLM\..\Run: [sPbKAt] "C:\WINNT\system32\cxtpls_loader.EXE" /PC=CP.AOP2 O4 - HKLM\..\Run: [nkyjih] c:\winnt\system32\nkyjih.exe -start O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [YourMonitor] C:\WINNT\YourMonitor O4 - HKLM\..\Run: [voiiya] C:\WINNT\system32\nrfgwp.exe r O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe" O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\System32\msiefr40.dll,DllRunServer O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe O4 - HKLM\..\Run: [ovtmkr] c:\winnt\system32\xtkpalh.exe r O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [gdzcpku] C:\WINNT\System32\ibujtg.exe O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [WeatherCast] "C:\PROGRA~1\WEATHE~1\Weather.exe" /q O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min O4 - HKCU\..\Run: [prwinsta.exe] C:\WINNT\System32\prwinsta.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123364265156 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145472866651 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4739/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing) O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing) O23 - Service: fyrdpqgscb - Unknown owner - C:\WINNT\system32\gscb\fyrdpq.exe (file missing) O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

04-20-2006, 08:38 AM	#2 (permalink)
Radja40 Registered User Join Date: May 2005 Posts: 14 OS: Win XP	Bump Bump.

04-20-2006, 12:55 PM	#3 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Did you run Ad-aware SE yet? If not, run it now... Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Please download Ewido Security Suite at http://www.ewido.net/en/download/. 1. Install Ewido Security Suite. 2. When installing, under 'Additional Options' uncheck: * Install background guard * Install scan via context menu 3. Launch Ewido, there should be an icon on your desktop, double click it. 4. The program will now open to the main screen. 5. When you run Ewido for the first time, you might get a warning 'Database could not be found!'. Click OK. We will fix this in a moment. 6. You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on start update. 7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'. 8. Exit Ewido. DO NOT scan yet. If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet. Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: (no name) - {D130684D-DE4E-5C60-17D9-2103C003A73E} - C:\WINNT\Ihcqtius.dll (file missing) O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k O4 - HKLM\..\Run: [StopSignSystemProtect] "C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignpr otect.exe" /Startup O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe" O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",Ve rifyStatus O4 - HKLM\..\Run: [fyrdpq] C:\WINNT\system32\gscb\fyrdpq.exe O4 - HKLM\..\Run: [hclna] C:\WINNT\system32\ouyngvxf\hclna.exe O4 - HKLM\..\Run: [cbaa474e8f1e] C:\WINNT\system32\clbcatq8.exe O4 - HKLM\..\Run: [sPbKAt] "C:\WINNT\system32\cxtpls_loader.EXE" /PC=CP.AOP2 O4 - HKLM\..\Run: [nkyjih] c:\winnt\system32\nkyjih.exe -start O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus O4 - HKLM\..\Run: [YourMonitor] C:\WINNT\YourMonitor O4 - HKLM\..\Run: [voiiya] C:\WINNT\system32\nrfgwp.exe r O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe" O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\System32\msiefr40.dll,DllRunServer O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe O4 - HKLM\..\Run: [ovtmkr] c:\winnt\system32\xtkpalh.exe r O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [gdzcpku] C:\WINNT\System32\ibujtg.exe O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe O4 - HKCU\..\Run: [WeatherCast] "C:\PROGRA~1\WEATHE~1\Weather.exe" /q O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min O4 - HKCU\..\Run: [prwinsta.exe] C:\WINNT\System32\prwinsta.exe O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing) O23 - Service: fyrdpqgscb - Unknown owner - C:\WINNT\system32\gscb\fyrdpq.exe (file missing) Uninstall these via the Add/Remove panel. WinTools Viewpoint WhenU Acceleration Software ClockSync AdStatus Service System Soar Pro WeatherCast TagASaurus Locate and delete the following: C:\PROGRA~1\AUTOUP~1\ C:\PROGRA~1\COMMON~1\WinTools\ C:\PROGRA~1\Toolbar\ C:\PROGRA~1\WEATHE~1\ C:\Program Files\Acceleration Software\ C:\Program Files\AdStatus Service\ C:\Program Files\ClockSync\ C:\Program Files\Common Files\Dpi\ C:\Program Files\Common files\updmgr\ C:\Program Files\Media\ C:\Program Files\snss\ C:\Program Files\System Soap Pro\ C:\Program Files\TagASaurus\ C:\Program Files\Viewpoint\ C:\Program Files\WhenUSearch\ C:\WINNT\bxxs5.dll C:\WINNT\system32\clbcatq8.exe C:\WINNT\system32\cxtpls_loader.EXE C:\WINNT\system32\gscb\ C:\WINNT\System32\ibujtg.exe C:\WINNT\System32\IEDriver\ C:\WINNT\System32\msiefr40.dll c:\winnt\system32\nkyjih.exe C:\WINNT\system32\nrfgwp.exe C:\WINNT\system32\ouyngvxf\ C:\WINNT\System32\prwinsta.exe C:\WINNT\System32\vmss\ C:\WINNT\System32\wsxsvc\ c:\winnt\system32\xtkpalh.exe C:\WINNT\ttupt.exe C:\WINNT\uptodate.exe C:\WINNT\YourMonitor CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. Run Ewido now: * Click on scanner and then Settings. Under 'What to scan' select 'Scan every file' and hit OK. * Click on 'Complete System Scan' and the scan will begin. * While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action with all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. * Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'. * Click 'Save report'. Save it to your desktop. Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-21-2006, 08:18 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hello Radja40, You didn't do anything wrong. Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report We need the HijackThis scan done in Normal Mode. Please run another scan with HijackThis and post it here along with the results of the Panda scan. I'd also like to see the following: Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-23-2006, 08:48 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hello Radja40, Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean. Right click the Microsoft AntiSpyware icon located in the system tray Click on Security Agents Status (Enabled) Click on Disable Real-time Protection --------------------------- Reboot into Safe Mode. (tapping F8 ro F5) --------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs): eAcceleration nkyjih Stop-Sign System Protect YourEnhance 1.0 --------------------------- Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad: REGEDIT4 [-HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}] [-HKEY_CLASSES_ROOT\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}] Save the file as "delete.reg" . Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. --------------------------- Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK. Delete the following Files and Folders: C:\WINNT\DOWNLOADED PROGRAM FILES\ f3initialsetup1.0.0.8.inf C:\WINNT\SYSTEM32\ bose.ico C:\WINNT\SYSTEM32\ msegcompid.dll C:\WINNT\ dsearch1.bin C:\WINNT\ GatorGainInstaller.log C:\WINNT\ icont.exe C:\ keys.ini C:\WINNT\system32\ InstallerV4.exe C:\WINNT\system32\ ??sembly\winspool.exe <--The ?? can be any character. Look for winspool.exe and delete the folder you find it in. C:\Program Files\ TBONAS C:\Program Files\ eacceleration C:\Program Files\ nkyjih C:\Program Files\ Stop-Sign System Protect C:\Program Files\ YourEnhance 1.0 C:\PROGRAM FILES\ DownloadWare(2) C:\WINNT\SYSTEM32\ CdmFiles C:\WINNT\SYSTEM32\ fiz1 Click Start>Run and copy/paste regsvr32 occache.dll and click OK. --------------------------- Run CleanUp again*. Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. --------------------------- Run Ewido again with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop --------------------------- Reboot into Normal Mode --------------------------- Run another scan at Panda and post the results here along with the Ewido results and a new HijackThis log from Normal Mode. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-21-2006, 09:51 AM	#4 (permalink)
Radja40 Registered User Join Date: May 2005 Posts: 14 OS: Win XP	Thank you for your help. The HJT log and Ewido log are posted below. I followed all your steps, but the computer, specifically explorer, don't seem to be running any faster. One question the steps that you had me do. All of items you said to uninstall in the add/remove panel were not there, and I couldn' find most the files you said to delete. Is this normal or did I do something wrong? Logfile of HijackThis v1.99.1 Scan saved at 12:40:58 PM, on 4/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Documents and Settings\Owner\Desktop\Computer Tools\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/game...ts/y/bt1_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt0_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123364265156 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145472866651 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:40:26 PM, 4/21/2006 + Report-Checksum: BA74D5EB + Scan result: HKLM\SOFTWARE\Classes\CLSID\{20374257-B13F-850D-AEF3-C0AD96C41034} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000} -> Adware.ActivShopper : Cleaned with backup HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup HKLM\SOFTWARE\HbTools -> Adware.HotBar : Cleaned with backup HKLM\SOFTWARE\HbTools\HbTools -> Adware.HotBar : Cleaned with backup HKLM\SOFTWARE\HbTools\HbTools\PI -> Adware.HotBar : Cleaned with backup HKLM\SOFTWARE\HbTools\Hotbar -> Adware.HotBar : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\Installer -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\upgrades -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\blackjack -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\blackjackdll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\boardbabe -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\caribbeanpoker -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\client -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\coolbananas -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\flamingo -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\funkychicken -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\games -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\goannagold -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\goldeneagle -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\goldengopher -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\highlimitblackjack -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\hotroller -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\junglerumble -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\kangacash -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\kenodll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\kookakeno -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\letitride -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\magicmanslot -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\megaeuropeanroulette -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\metropolis -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\multiplayerblackjack -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\multiplayerblackjackdll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\nextgenvpdll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\piggypayback -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\pokerdll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\predatorslot -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\roulettedll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\safecrackerkeno -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\silvercity -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\slotsdll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\threecardpoker -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\tod -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\upgrader -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vegasclub -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\videopokerdll -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vpokerdw -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vpokerjob -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\iGlobalMedia\starluckcasino\casino\version\vpokerjp -> Adware.AceClubCasino : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053229.dll -> Adware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053236.dll -> Adware.WinAD : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053240.exe -> Adware.Gator : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053241.exe -> Adware.Gator : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP212\A0053242.dll -> Adware.Relevance : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP214\A0053298.exe -> Trojan.VB.tg : Cleaned with backup C:\WINNT\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UFI18V87\!update-2264[1].0000 -> Downloader.PurityScan.y : Cleaned with backup C:\WINNT\system32\Osaka.exe -> Adware.PurityScan : Cleaned with backup ::Report End

04-24-2006, 11:53 AM	#8 (permalink)
Radja40 Registered User Join Date: May 2005 Posts: 14 OS: Win XP	Thanks again for your help. The logs are posted below. I had two issues with the steps that you gave me. 1. I could not find the file C:\keys.ini 2. I removed the YourEnhance 1.0 file from the add/remove panel, but it is still on my computer after I rebooted. Please let me know what else needs to be done. Thanks Logfile of HijackThis v1.99.1 Scan saved at 2:48:10 PM, on 4/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINNT\system32\svchost.exe C:\WINNT\wanmpsvc.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe C:\WINNT\system32\wscntfy.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\SK9910DM.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\WINNT\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\Computer Tools\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/game...ts/y/bt1_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt0_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123364265156 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145472866651 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE Incident Status Location Spyware:spyware/whazit Not disinfected c:\winnt\system32\fiz1 Adware:adware/delfinmedia Not disinfected c:\keys.ini Potentially unwanted tool:application/funweb Not disinfected hkey_current_user\software\Fun Web Products Adware:adware/navipromo Not disinfected Windows Registry Spyware:spyware/safesurf Not disinfected Windows Registry Adware:adware/novo Not disinfected Windows Registry Spyware:spyware/media-motor Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239} Adware:adware/sahagent Not disinfected Windows Registry Adware:adware/activshopper Not disinfected Windows Registry Adware:adware/ist.istbar Not disinfected Windows Registry Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:28:13 PM, 4/24/2006 + Report-Checksum: 65EE7A84 + Scan result: C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP214\A0053391.exe -> Adware.PurityScan : Cleaned with backup ::Report End

04-24-2006, 08:06 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Radja, Please copy these instructions to Notepad and save it to your desktop for reference. ----------------------------- Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK ----------------------------- Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. ----------------------------- Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. ----------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ----------------------------- Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean. Right click the Microsoft AntiSpyware icon located in the system tray Click on Security Agents Status (Enabled) Click on Disable Real-time Protection ----------------------------- Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. ----------------------------- Delete the following files and folders if they still exist: c:\winnt\system32\fiz1 c:\keys.ini C:\Documents and Settings\Administrator\My Documents\Data C:\Documents and Settings\Default User\My Documents\Data ----------------------------- Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad: REGEDIT4 [-hkey_current_user\software\Fun Web Products] [-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}] Save the file as "delete.reg" . Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. ----------------------------- Reboot into Normal Mode. ----------------------------- Run another online scan at Panda and post the results here along with the entire contents of the log.txt file in the aproposfix** folder. How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-25-2006, 01:14 PM	#10 (permalink)
Radja40 Registered User Join Date: May 2005 Posts: 14 OS: Win XP	Thanks for your help. The computer seems to be running a lot better, although my mom told me that it crashed on her twice. Below are the two things you asked for. Incident Status Location Adware:adware/navipromo Not disinfected Windows Registry Spyware:spyware/safesurf Not disinfected Windows Registry Adware:adware/novo Not disinfected Windows Registry Spyware:spyware/media-motor Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179} Adware:adware/sahagent Not disinfected Windows Registry Adware:adware/activshopper Not disinfected Windows Registry Adware:adware/ist.istbar Not disinfected Windows Registry Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bilbo.counted[1].txt Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Cookies\owner@clickbank[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Owner\Cookies\owner@linksynergy[2].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@media.fastclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Owner\Cookies\owner@targetnet[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\3C3851CA-772D-44F9-97CE-FEE9F9 Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\C3A4A85E-739C-458D-B453-6CCB65 Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\F1ACF35A-6E36-484F-B17A-80637C Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\98E664D6-2DC4-4764-B249-75A54A\F3ACAB4B-A705-40BC-B568-9FD7E7 Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\BBD769B0-84C1-4E52-A4D3-33D9AB Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\DB4F1A98-5CE9-4FAD-B284-90CFAB Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\E56D3DF2-8AAD-4495-BCB4-F73145 Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8213A4-35BC-472F-A1CB-E621BD\F6A95355-9143-4A67-900F-9F456A Possible Virus. Not disinfected C:\Program Files\SBC Self Support Tool\bin\closeAll.exe Possible Virus. Not disinfected C:\Program Files\Yahoo!\browser\ybcBrowser.dll Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc4\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Virus:Trj/Downloader.OE Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][dp-k13w13.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][IEDRIVER.EXE] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][sx.htm] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][ieupdate.exe] Adware:Adware/IEDriver Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[setup233.exe][td.exe] Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[install_tag002.exe] Adware:Adware/BrowserAid Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[dist1_1_00.exe] Adware:Adware/SaveNow Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[SaveInstCsSm.exe] Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[ezStub.exe] Spyware:Spyware/Apropos Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[apropos_client_loader.exe] Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[ClrSchP071.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-562289069-514256677-1988686415-1003\Dc5\Data\all_files4.exe._eac_qt_[wmedia_bbi8015.exe] Possible Virus. Not disinfected C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE2BAVW3\ctxad-313[1].0000[NDrv.dll] Log of AproposFix v1.1 ********** Running from directory: C:\Documents and Settings\Owner\Desktop\Computer Tools\aproposfix ******** Registry entries found: [HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn] [HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn\CtxPlus] "TotalAttempts"=dword:00000001 "URL"="http://dl6.contextplus.net/storage/cpi/2.0.20/CP.AOP2/<<try>>/CPI.2-0-81.20050918085722.2F863C54" "FileName"="C:\\WINNT\\TEMP\\auf0.exe" "DownloadAttempts"=dword:00000001 "Content-Length"=dword:0019b05b [HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn\TH] @="" ********** No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 [-HKEY_CURRENT_USER\Software\LzPg4AzFJjFD8REXUn] [-HKEY_LOCAL_MACHINE\Software\LzPg4AzFJjFD8REXUn] Done! Finished!

04-26-2006, 10:30 AM	#12 (permalink)
Radja40 Registered User Join Date: May 2005 Posts: 14 OS: Win XP	Thanks for all your help. I ran through all the steps you posted. The computer seems to be running fine to me. In regards to the computer crashing on my mom, she said that it crashed and a message came up something like "If this has happened before and you recently installed a new program, please uninstall it now." I haven't seen this happen and we haven't installed any programs except the ones this forum asked us to, so I don't really know what to make of that. Thanks again.

04-26-2006, 06:36 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Radja40, If it happens again, take note of the program that is having the problem. It may help to uninstall and reinstall it. If it keeps recurring, you may want to post the issue in the Windows XP section of this forum. Please keep CleanUp and Ewido. Run CleanUp periodically, with the settings I gave you, to keep the system clutter free. You will need to keep Ewido updated with the latest definition files. (At the minimum, check for updates bi-weekly) On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. *********************************** Your logs are clean. Please continue with these final instructions and helpful links. Reset hidden/system files and folders Windows XP =============== Click Start*. Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Please respond one more time and let us know if we can mark this as resolved.** __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."