Please help! Computer overrun

1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).
   
   
2. In the Control Panel window, double-click Add/Remove Programs.
   
   Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.
   
   
3. Click SurfAccuracy.
   
   Note: You may need to use the scroll bar to view the whole list.
   
   
4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.
   
   

Hopefully the line:

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

will now be gone.

Now:

Download the Hoster from:

http://www.funkytoad.com/

Unpack to your desktop and run it.  If you have green print at the top then just press Restore Original Hosts then OK. 
IF you have red print then press make Hosts Writeable first.  After you Restore Original Hosts then Make Hosts Read Only.  This cleans out your hosts file where malware often puts entries to keep you from going to antivirus sites.

Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/DelDomains.inf  and then right click on it and Install. 

Nothing much will happen except the O15 entries should go away on your next HJT scan.

You will also need the program Look2me-Destroyer.exe from this page.  Just download it for now.

http://www.atribune.org/content/view/28/

Download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet. 

Download the killbox:

http://www.bleepingcomputer.com/files/killbox.php

Unzip it to your desktop but don't run it.

Download smitRem.exe, saving the file to your desktop.

http://noahdfear.geekstogo.com/click%20counter/click.php?id=1fold

Double click it to extract the contents to a folder on the desktop.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find the programs you put on the desktop
and some of the entries may not appear we want to remove will not appear in HijackTHis.

Run HijackThis and just do a Scan only. Check  then Fix Checked the following:
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {4D191E5C-AEC6-D941-C009-DE98B861F7CA} - C:\WINDOWS\System32\etw.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames10.exe
O4 - HKLM\..\Run: [sJc9] C:\WINDOWS\wufjpmb.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [04cg0ryk.dll] RUNDLL32.EXE 04cg0ryk.dll,b 19179937
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\jqsam.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [159H] C:\windows\eee2.exe
O4 - HKLM\..\Run: [mcspy.exe] C:\WINDOWS\System32\mcspy.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win3208382-1460528] C:\WINDOWS\win3208382-1460528.exe
O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe] C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe
O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\ASEMBL~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Osxixt] C:\Documents and Settings\Dad\Application Data\A?pPatch\?ervices.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.adextension.com (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.gimmycash.com (HKLM)
O15 - Trusted Zone: *.gimmysmileys.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.proben.nu (HKLM)
O15 - Trusted Zone: *.snet.ms (HKLM)
O15 - Trusted Zone: *.snet.tc (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.sxload.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O15 - Trusted Zone: *.yoursitebar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.zango.com (HKLM)
O15 - Trusted Zone: *.zangocash.com (HKLM)
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGF2aWQgSGF5\command.exe

Run ccleaner.exe, uncheck everything on the first page except the two entries
with Temporary and then Run Cleaner.

Run killbox.  Open Options and check Remove Directories
Where it says Full Path of File to Delete you need to type or copy (Hightlight and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):

C:\PROGRA~1\Jalmp

Then check the Delete on Reboot box then the red button. 
It will say:  File Will Be Removed On Reboot, Do you want to reboot Now.
Tell it NO.  (If it can't find it that's OK just go on to the next one)
 
Repeat for:
 
C:\Program Files\Zango Programs
C:\Program Files\TheSearchAccelerator
C:\Program Files\MediaGateway
C:\Program Files\webHancer
C:\Program Files\ISTsvc
C:\Documents and Settings\Dad\Application Data\A?pPatch
C:\Program Files\SpySheriff

 

Do not let it reboot.

Open the smitrem folder and doubleclick on RunThis.bat (you may not see the .bat).

Reboot into regular mode.  If you still have desktop problems then run Runthis.bat again.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

Boot into regular mode.  Make a new log and post it as a reply.  Let's see how we did.

Ron

Hi Ron,

Thanks so much for the help. Yes, my daughter was a little unsupervised and I had no idea what she'd done!

Walked through all the steps you outlined, apart from the last one - Look2Me-Destroyer.exe wouldn't run. It said "Component mswinsck.ocx or one of its dependencies not correctly registered; a file is missing or invalid."

Here's the latest HijackThis log though. Appreciate your advice from here - there's still spyware somewhere as my browser gets hijacked and redirected...

Logfile of HijackThis v1.99.1
Scan saved at 10:13:23 PM, on 2/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - URLSearchHook: (no name) - {152A6651-DEC6-F511-C1AD-F48AD9D7F297} - C:\WINDOWS\System32\hibfzmqk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnju0119e.dll (file missing)
O20 - Winlogon Notify: avload32 - avload32.dll (file missing)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\ixq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Documents and Settings\Dad\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Log is looking a lot better.  Don't be too hard on your daughter.  A lot of this is downloaded without the user knowing it is happening.  Other times with kids they like to download and share music files and the malware sites will often offer free downloads and then slip in a zinger at the same time.

The fix for your error with the look2me destroyer program is supposedly:"

download MSWINSCK.OCX from the link below and save it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Last Updated ( Saturday, 11 February 2006 ) "

Also I have had problems in the past with Norton/Symantec not permitting fixes to run so right click on the norton/symantec shield in the system tray (near the clock) and uncheck Enable AutoProtect.  If that doesn't help then it may be necessary to boot back into Safe Mode in order to run the program.

 

Try that and see if you can get the program to run.  Close all programs before you run it.

I see Microsoft NetMeeting is running.  This program allows you to share your desktop with other authorized users and may be something your daughter and her friends are fond of using.  If that's the case then leave it alone but if she doesn't know anything about it then we should turn it off.  Start, Run, services.msc, OK then find NetMeeting Remote Desktop Sharing and double click on it.  Set the Startup Type: to Disabled and then Apply then Stop the service.

Then run Hijackthis (with Internet Explorer closed) and check any of these that remain then Fix Checked:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {152A6651-DEC6-F511-C1AD-F48AD9D7F297} - C:\WINDOWS\System32\hibfzmqk.dll

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnju0119e.dll (file missing)
O20 - Winlogon Notify: avload32 - avload32.dll (file missing)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\ixq.dll

Do another scan.

If either the R3 or the last O20 are still there then run Killbox and check the Delete on Reboot button then have it remove

C:\WINDOWS\System32\hibfzmqk.dll

(Press the reboot but answer No)

C:\WINDOWS\system32\ixq.dll

(Let it reboot this time.)

 

Run a new log and post it as a reply.  Also post the look2me destroyer log if you get it to run. 

Ron

Here's the HijackThis log - made previous post too long...

HIJACK THIS:
Logfile of HijackThis v1.99.1
Scan saved at 9:57:13 PM, on 2/24/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\CCNTAB32.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Documents and Settings\Dad\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hi Ron,

No, not hard on her - she had no idea!

Managed to do all this now. OCX file allowed look2me destroyer to run. Found some stuff and deleted it. Log is below.

Ran Hijackthis again, and deleted stuff. Could only find 1 O20 that you mentioned though, but deleted it.

Another log below too.

Something is still redirecting my browser after a few seconds :-( Any ideas?

btw, I use the NetMeeting, just to connect from my laptop within the house.

Also, I have other users set up, but haven't accessed them since this started.

cheers,

David



Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/24/2006 8:09:04 PM

Infected! C:\WINDOWS\system32\dnju0119e.dll
Infected! C:\WINDOWS\system32\ixq.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP568\A0107455.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP568\A0107469.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107481.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107490.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107496.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0108508.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109524.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109539.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109551.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109562.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110578.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110591.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110657.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110658.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110677.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110681.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0111680.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0112680.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113680.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113746.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113752.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113906.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0114909.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0114953.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116012.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116013.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116014.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116015.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116016.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116018.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116019.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116022.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116023.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116024.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116025.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116026.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116027.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116028.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116029.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116032.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116033.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116034.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116036.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116038.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116040.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116041.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116080.dll
Infected! C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116087.dll
Infected! C:\WINDOWS\system32\g6040gdqe60e0.dll
Infected! C:\WINDOWS\system32\ixq.dll
Infected! C:\WINDOWS\system32\n04slah71d4.dll
Infected! C:\WINDOWS\system32\ncmsapi.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\ixq.dll
C:\WINDOWS\system32\ixq.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP568\A0107455.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP568\A0107455.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP568\A0107469.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP568\A0107469.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107481.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107481.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107490.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107490.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107496.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0107496.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0108508.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP569\A0108508.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109524.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109524.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109539.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109539.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109551.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109551.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109562.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0109562.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110578.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110578.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110591.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110591.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110657.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110657.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110658.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110658.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110677.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110677.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110681.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0110681.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0111680.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0111680.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0112680.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0112680.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113680.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113680.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113746.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113746.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113752.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113752.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113906.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP571\A0113906.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0114909.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0114909.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0114953.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0114953.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116012.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116012.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116013.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116013.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116014.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116014.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116015.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116016.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116016.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116018.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116018.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116019.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116019.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116022.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116022.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116023.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116023.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116024.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116024.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116025.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116025.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116026.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116026.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116027.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116027.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116028.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116028.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116029.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116029.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116032.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116032.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116033.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116033.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116034.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116034.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116036.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116036.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116038.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116038.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116040.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116040.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116041.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116041.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116080.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116080.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116087.dll
C:\System Volume Information\_restore{F481F2FD-D6D3-406B-9ADC-B13264CEE0CA}\RP572\A0116087.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g6040gdqe60e0.dll
C:\WINDOWS\system32\g6040gdqe60e0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ixq.dll
C:\WINDOWS\system32\ixq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n04slah71d4.dll
C:\WINDOWS\system32\n04slah71d4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ncmsapi.dll
C:\WINDOWS\system32\ncmsapi.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Hi Ron,

I also ran an ewido scan in safe mode with the following report - I tried to delete the registry keys, changing permissions etc. with no success.

Any ideas?

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:30:06 PM, 2/25/2006
+ Report-Checksum: 90FF1C78

+ Scan result:

HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Error during cleaning
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Adware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\MEDIATICKETSINSTALLER.MediaTicketsInstallerCtrl.1 -> Adware.PurityScan : Error during cleaning
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Error during cleaning
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Error during cleaning
HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Adware.YourSiteBar : Error during cleaning
HKLM\SOFTWARE\Classes\Ysb.YsbObj.1 -> Adware.YourSiteBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar -> Adware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Adware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historymusic_keyword -> Adware.ISTBar : Error during cleaning
[604] C:\WINDOWS\system32\atvapi32.dll -> Adware.Look2Me : Error during cleaning
[680] C:\WINDOWS\system32\atvapi32.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Dad\Application Data\AрpPatch\ѕervices.exe -> Adware.PurityScan : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Directnetadvertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1iaccrjh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\system32\adsetup.exe -> Dropper.Agent.abb : Cleaned with backup
C:\WINDOWS\system32\hibfzmqk.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\njrsit.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nsq340.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\tool1.exe -> Not-A-Virus.SpamTool.Win32.Mailbot.an : Cleaned with backup


::Report End

The only thing that I'd worry about is the look2me infection.

 

See if you can use killbox (Delete on Reboot)

on

C:\WINDOWS\system32\atvapi32.dll

 

Then run look2me-destroyer twice in a row.

Post a new log when done.

Ron

 

 

Hi Ron,

Couldn't find that file to run killbox on it.

Ran look2me-destroyer twice, though, and that seemed to help.

Spybot did say that it couldn't delete ISearchTech.YSB - HKLM\SOFTWARE\YourSiteBar. Is that a problem?

Here's the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:06 PM, on 2/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Documents and Settings\Dad\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

By the way, I have some data I need to get from one of the other accounts on my machine, which was I believe one of the accounts that the spyware was installed on, before I delete it.

Is there a safe way to do this? Log on while disconnected from the internet? Or will that account be 'clean' now too?

many thanks,

David

Message Edited by RKinner on 02-27-2006 03:42 PM