Spyware/popup problem/ Files missing

Question

Hi i posted yesterday a thread about my problem on the other page and told me to come here to see if anyone coould help me. Here is the message that i posted: 'I was surfing the web today and out of nowhere a page opened and something started either to scan doenload install whatever. The next thing i know there are bunch of icons on my desktop and this toolbar called Mirar and Search bar too. I cannot fin those files anywhere in my computer under those names and they are not in the Add/Remove page. I deleted a lot of stuff, in Add/Remove page, that installed into my computer out of nowhere. A bunch of things! Probably some that i should have deleted in the first place. Now that i deleted all this stuff the toolbar is still there and im getting like 10 popups a min or more. It seems that there is no way i can delete that toolbar with everything that got installed into my computer without my permission. Please help me because i definatley cannot hire some person to clean my computer, cuz my parents will kill me! (Im 16) Help me please anyone that knows how to get rid of this stuff. Oh and my antivirus program is AVG Free Edition.' On the other thread two people helped me out and told me that i should scan my comp with Hijack This, so i did. Now i see that somethings are missing on my computer (or so i think). Plus i can no longer open my internet explorer because everytime i do it closes! It has an error message or something like that. Oh and i did delte my Related page (Mirar toolbar) but its still there!!! I deleted it throught Add/Remove. I also deleted a lot of other stuff which i think i shouldnt have and now i think my computer is going crazy! Please someone help me! Here is my log: Logfile of HijackThis v1.99.1 Scan saved at 6:56:38 PM, on 10/17/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32undll32.exe C:\WINDOWS
ext06.exe C:\WINDOWS\cfg32.exe C:
wnmff_e31.exe C:\dfndrff_e32.exe C:\kybrdff_e32.exe C:\WINDOWS\Duce6.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\cfg32a.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\hijackthis\HijackThis.exe C:\WINDOWS\system32\cidaemon.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [BearShare] 'C:\Program Files\BearShare\BearShare.exe' /pause O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [b56f3f18.exe] C:\WINDOWS\System32\b56f3f18.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset
od32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eSnips] 'C:\Program Files\eSnips\ClientGW.exe' O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS
ext06.exe O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe O4 - HKLM\..\Run: [newname] C:\nwnmff_e31.exe O4 - HKLM\..\Run: [defender] C:\dfndrff_e32.exe O4 - HKLM\..\Run: [keyboard] C:\kybrdff_e32.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart O4 - HKCU\..\Run: [b56f3f18.exe] C:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exe O4 - HKCU\..\Run: [Aim6] 'C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe' /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Fdmlrmfc] C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm078YYUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\electraa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O10 - Hijacked Internet access by New.Net O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {78996C9C-F96B-5C77-6664-72C706B46112} - http://85.255.115.229/1/gdnUS1402.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9E45389C-CD7F-4F17-96A1-D4C697F32544}: NameServer = 68.237.161.12 71.250.0.12 O21 - SSODL: IEFilter - {F6BBD367-19AF-4305-A209-0C53E4B359E5} - C:\WINDOWS\system32\IEFilter.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset
od32krn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWSvivxya.exe (file missing) Thank you for reading this long post! Hopefully it's possible to fix this! ~Electraa

bamajim · Answer

Electraa

Welcome to DCF:smileyhappy:

Thats quite a collection of Malware you have there, it will take a couple of runs at this to completely remove the infection, so please be patient

Re Run Hijackthis

At the Main window select " Open the misc tool section"
Then select " Open uninstall manager"
Then " save list" and save it to your desktop

Copy and paste that list as a reply to this thread

bamajim Graduate of Malware Removal University

Electraa · Answer

Hey thanks for the welcome. This might be weird but when ever i press 'save list' it closes HijackThis program. Am i doing something wrong?

bamajim · Answer

Electraa

No it's the infection trying to protect itself.

Let's do this: Open the Hijackthis folder->>locate Hijackthis.exe->> Rt Click and Select Rename->>and rename it H.exe

Then rerun H.exe (formerly Hijackthis.exe) and post a fresh log.

bamajim Graduate of Malware Removal University

Electraa · Answer

Cool it worked! :)

Ad-aware 6 Professional
Adobe Flash Player 9 ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.0
Adobe Shockwave Player
Advanced Networking Pack for Windows XP
AOL Uninstaller (Choose which Products to Remove)
ATI Display Driver
AVG Free Edition
BPS Spyware-Adware Remover 8.2.0.0
CleanUp!
Cole2k Media - Codec Pack (Advanced)
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative Zen Neeon
Error Guard 2.5.0
EximiousSoft GIF Creator V2.40
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
hp instant support
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet Drivers
hp psc 2100 series
InterActual Player
J2SE Runtime Environment 5.0 Update 4
Language Pack for Ad-aware 6
LimeWire 4.10.9
MathPlayer
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Office FrontPage 2003
Microsoft Office Outlook Connector for MSN
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft Picture It! Photo 2002
Microsoft Windows Journal Viewer
mIRC
Mozilla Firefox (1.5.0.7)
MP3 Galaxy
MSN
MSN Encarta Plus Support Files
MSN Messenger 6.2
New.net Domains 7.22
Newbury House Dictionary
Panicware Pop-Up Stopper Pro
PaperPort 9.0
PCFriendly
PowerDVD
PowerQuest Drive Image 2002
PowerQuest PartitionMagic 8.0
QuickTime
Railroad Tycoon 3 Demo
Readiris 7.5
RealPlayer
RelevantKnowledge
Rhapsody Player Engine
Roxio Easy Media Creator 7
Search Bar
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave
Sony USB Driver
TMD-Recruit.4.10C
Total Commander (Remove or Repair)
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Overlay Components
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833998
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q819696
Windows XP Related
WinImage
WinRAR archiver

bamajim · Answer

Electraa First Please download LSP-Fix from the following link and save it to your Desktop. But Do not run it yet. LSP-Fix Download Link ***Note: If you cannot connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on. Next Go To Add/Remove Programs (Click Start->>Control Panel->>Add/Remove Programs) And uninstall the following programs Windows Overlay ComponentsWildTangent Web DriverSearch BarRelevantKnowledgeNew.net Domains 7.22LimeWire 4.10.9Error Guard 2.5.0BPS Spyware-Adware Remover 8.2.0.0 Close Add/Remove Programs->>Reboot your PC->>Rerun H.exe (formerly Hijackthis) and post a fresh log Also let me know if you have any problems with uninstalling any of the programs   bamajim   Graduate of Malware Removal University

Electraa · Answer

Ok I delteted all these programs. Here is my new log: Logfile of HijackThis v1.99.1 Scan saved at 9:39:24 PM, on 10/18/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS
ext06.exe C:\WINDOWS\cfg32.exe C:
wnmff_e31.exe C:\dfndrff_e32.exe C:\kybrdff_e32.exe C:\WINDOWS\Duce6.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\cfg32a.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe C:\H\H.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll O2 - BHO: (no name) - {1FBA59F7-C295-4D42-8A4B-DBF9989D02E3} - C:\WINDOWS\System32\ddccd.dll O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [BearShare] 'C:\Program Files\BearShare\BearShare.exe' /pause O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [b56f3f18.exe] C:\WINDOWS\System32\b56f3f18.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset
od32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eSnips] 'C:\Program Files\eSnips\ClientGW.exe' O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS
ext06.exe O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe O4 - HKLM\..\Run: [newname] C:\nwnmff_e31.exe O4 - HKLM\..\Run: [defender] C:\dfndrff_e32.exe O4 - HKLM\..\Run: [keyboard] C:\kybrdff_e32.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart O4 - HKCU\..\Run: [b56f3f18.exe] C:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exe O4 - HKCU\..\Run: [Aim6] 'C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe' /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Fdmlrmfc] C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm078YYUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\electraa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {78996C9C-F96B-5C77-6664-72C706B46112} - http://85.255.115.229/1/gdnUS1402.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9E45389C-CD7F-4F17-96A1-D4C697F32544}: NameServer = 68.237.161.12 71.250.0.12 O20 - Winlogon Notify: ddccd - C:\WINDOWS\System32\ddccd.dll O20 - Winlogon Notify: drivers32 - C:\WINDOWS\system32\guard.tmp (file missing) O20 - Winlogon Notify: explorer - explorer.dll (file missing) O20 - Winlogon Notify: iexplorer - iexplorer.dll (file missing) O20 - Winlogon Notify: scklchk - scklchk.dll (file missing) O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i242lcho1f4c.dll (file missing) O21 - SSODL: IEFilter - {F6BBD367-19AF-4305-A209-0C53E4B359E5} - C:\WINDOWS\system32\IEFilter.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset
od32krn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWSvivxya.exe (file missing)

bamajim · Answer

Electraa

O.k. We have some work to do. Please be patient, it will take a couple of runs at this to completely remove the infection.

First Copy and paste the following into NotePad (Not Wordpad)

sc stop Service
sc delete Service
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"

Click File ->> Save as ->>type in cmd.bat

Under "Save as type" Select " all files" ->>Save it to your Desktop
Close Notepad
The cmd.bat file should now appear on your Desktop

Double Click that file (It will appear that nothing has happened, but that's o.k.)

Next Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboo

Then Rerun H.exe (formerly Hijackthis.exe) and post a fresh log

Your reply should include

your vundofix.txt
a fresh H.exe log

bamajim Graduate of Malware Removal University

Electraa · Answer

Ok here is my Vundo file: VundoFix V6.2.6 Checking Java version... Java version is 1.5.0.4 Scan started at 3:32:04 PM 10/19/2006 Listing files found while scanning.... C:\WINDOWS\system32\khfgede.dll C:\WINDOWS\system32
aqajhtt.exe C:\WINDOWS\System32\ddccd.dll C:\WINDOWS\system32\guard.tmp C:\WINDOWS\System32\dccdd.ini C:\WINDOWS\System32\dccdd.bak2 C:\WINDOWS\System32\dccdd.ini2 Beginning removal... Attempting to delete C:\WINDOWS\system32\khfgede.dll C:\WINDOWS\system32\khfgede.dll Has been deleted! Attempting to delete C:\WINDOWS\system32
aqajhtt.exe C:\WINDOWS\system32
aqajhtt.exe Has been deleted! Attempting to delete C:\WINDOWS\System32\ddccd.dll C:\WINDOWS\System32\ddccd.dll Could not be deleted. Attempting to delete C:\WINDOWS\System32\dccdd.ini C:\WINDOWS\System32\dccdd.ini Has been deleted! Attempting to delete C:\WINDOWS\System32\dccdd.bak2 C:\WINDOWS\System32\dccdd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\System32\dccdd.ini2 C:\WINDOWS\System32\dccdd.ini2 Has been deleted! Performing Repairs to the registry. Done! Beginning removal... VundoFix V6.2.6 Checking Java version... Java version is 1.5.0.4 Scan started at 4:44:24 PM 10/19/2006 Listing files found while scanning.... Beginning removal... And here is my HijackThis file: Logfile of HijackThis v1.99.1 Scan saved at 4:51:28 PM, on 10/19/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS
ext06.exe C:\WINDOWS\cfg32.exe C:
wnmff_e31.exe C:\dfndrff_e32.exe C:\kybrdff_e32.exe C:\WINDOWS\Duce6.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Common Files\AOL\1149892265\ee\aolsoftware.exe C:\WINDOWS\cfg32a.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\H\H.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll O2 - BHO: (no name) - {32CCC04A-F12D-43B4-AC8F-429E0AE125F8} - C:\WINDOWS\System32\ddccd.dll O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [BearShare] 'C:\Program Files\BearShare\BearShare.exe' /pause O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [b56f3f18.exe] C:\WINDOWS\System32\b56f3f18.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset
od32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eSnips] 'C:\Program Files\eSnips\ClientGW.exe' O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS
ext06.exe O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe O4 - HKLM\..\Run: [newname] C:\nwnmff_e31.exe O4 - HKLM\..\Run: [defender] C:\dfndrff_e32.exe O4 - HKLM\..\Run: [keyboard] C:\kybrdff_e32.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart O4 - HKCU\..\Run: [b56f3f18.exe] C:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exe O4 - HKCU\..\Run: [Aim6] 'C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe' /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Fdmlrmfc] C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm078YYUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\electraa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {78996C9C-F96B-5C77-6664-72C706B46112} - http://85.255.115.229/1/gdnUS1402.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - Winlogon Notify: drivers32 - C:\WINDOWS\system32\guard.tmp (file missing) O20 - Winlogon Notify: explorer - explorer.dll (file missing) O20 - Winlogon Notify: iexplorer - iexplorer.dll (file missing) O20 - Winlogon Notify: scklchk - scklchk.dll (file missing) O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i242lcho1f4c.dll (file missing) O21 - SSODL: IEFilter - {F6BBD367-19AF-4305-A209-0C53E4B359E5} - C:\WINDOWS\system32\IEFilter.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset
od32krn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

bamajim · Answer

Electraa   1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply   Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall   Next Rerun Hijackthis and post a fresh   Hijackthis log Your reply should include Your combofix log a fresh Hijackthis log (after you run Combofix) You may have to post the results in more than one reply bamajim   Graduate of Malware Removal University

Electraa · Answer

And here is HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 5:20:10 PM, on 10/22/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS
ext06.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\H\H.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll O2 - BHO: (no name) - {0D299386-93AC-4D96-A194-4360902BB643} - C:\WINDOWS\System32\ddccd.dll (file missing) O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing) O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [BearShare] 'C:\Program Files\BearShare\BearShare.exe' /pause O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [b56f3f18.exe] C:\WINDOWS\System32\b56f3f18.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset
od32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eSnips] 'C:\Program Files\eSnips\ClientGW.exe' O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS
ext06.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart O4 - HKCU\..\Run: [b56f3f18.exe] C:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exe O4 - HKCU\..\Run: [Aim6] 'C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe' /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Fdmlrmfc] C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm078YYUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\electraa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {78996C9C-F96B-5C77-6664-72C706B46112} - http://85.255.115.229/1/gdnUS1402.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9E45389C-CD7F-4F17-96A1-D4C697F32544}: NameServer = 68.237.161.12 71.250.0.12 O20 - Winlogon Notify: ddccd - C:\WINDOWS\System32\ddccd.dll (file missing) O20 - Winlogon Notify: scklchk - scklchk.dll (file missing) O21 - SSODL: IEFilter - {F6BBD367-19AF-4305-A209-0C53E4B359E5} - C:\WINDOWS\system32\IEFilter.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset
od32krn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Electraa · Answer

Hey sorry i didnt reply back for a while. Here is my combofix log: electraa - 06-10-22 15:08:46.82 Service Pack 1 ComboFix 06.10.19 - Running from: 'C:\Documents and Settings\electraa\Desktop' ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\clsid\{1FB79FDC-8CE2-42BA-B792-AC00FE485F7D}] @='' [HKEY_CLASSES_ROOT\clsid\{1FB79FDC-8CE2-42BA-B792-AC00FE485F7D}\Implemented Categories] @='' [HKEY_CLASSES_ROOT\clsid\{1FB79FDC-8CE2-42BA-B792-AC00FE485F7D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @='' [HKEY_CLASSES_ROOT\clsid\{1FB79FDC-8CE2-42BA-B792-AC00FE485F7D}\InprocServer32] @='C:\WINDOWS\system32\guard.tmp' 'ThreadingModel'='Apartment' * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINDOWS\system32\ckl3d32.dll C:\WINDOWS\system32\dc7vb.dll C:\WINDOWS\system32\ibsutil.dll C:\WINDOWS\system32\o248lchu1f48.dll Granting sedebugprivilege to Administrators ... successful ((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\electraa\Application Data\Dxcdmns.dll C:\Documents and Settings\electraa\Application Data\Dxcknwrd.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\cfg32.exe C:\WINDOWS\cfg32a.exe C:\WINDOWS\drsmartload2.dat C:\WINDOWS\Duce6.exe C:\WINDOWS	eller2.chk C:\dfndrff_e31.exe C:\deskbar.exe C:\deskbar_e31.exe C:\kybrdff_e31.exe C:
wnmff_e31.exe C:\Documents and Settings\electraa\Local Settings\Temporary Internet Files\Content.IE5\MJ47CXKZ\dfndrff_e[1].exe C:\Documents and Settings\electraa\Local Settings\Temporary Internet Files\Content.IE5\OFKPYBCL\drsmartload44a[1].exe C:\Documents and Settings\electraa\Local Settings\Temporary Internet Files\Content.IE5\OX2B0PI3\deskbar_e[1].exe C:\Documents and Settings\electraa\Local Settings\Temporary Internet Files\Content.IE5\OFKPYBCL\kybrdff_e[1].exe C:\WINDOWS\offun.exe C:\WINDOWS\whCC-GIANT.exe C:\WINDOWS\system32\WinNB58.dll C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\Deskbar ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Documents and Settings\electraa\My Documents\DOBE~1 C:\QooBox\Purity\Documents and Settings\electraa\My Documents\DOBE~1\w?nspool.exe C:\QooBox\Purity\Program Files\Common Files\DOBE~1 C:\QooBox\Purity\Program Files\Common Files\DOBE~1\?ymbols ((((((((((((((((((((((((((((((( Files Created from 2006-09-22 to 2006-10-22 )))))))))))))))))))))))))))))))))) 2006-10-19 17:01 510,154 --ahs---- C:\WINDOWS\system32\dccdd.bak1 2006-10-19 16:19 67,604 --a------ C:\WINDOWS\system32\lyqhmgak.exe 2006-10-18 22:08 32,768 --a------ C:\WINDOWS\qkihqgns.exe 2006-10-17 18:09 376,832 --a------ C:\dfndrff_e32.exe 2006-10-17 18:09 24,576 --a------ C:\mc44a2.exe 2006-10-17 18:08 364,544 --a------ C:\kybrdff_e32.exe 2006-10-17 18:07 163,840 --a------ C:\WINDOWS\sys015728335611.exe 2006-10-17 08:52 50,912 --a------ C:\WINDOWS\iconu.exe 2006-10-17 08:37 131,072 --a------ C:\WINDOWS\system32kupginstaller.exe 2006-10-17 08:37 1,429,504 --a------ C:\WINDOWS\system32lvknlg.exe 2006-10-16 21:53 42,736 --a------ C:\WINDOWS\icont.exe 2006-10-16 20:54 25 --a------ C:\WINDOWS\ms0483356115722006.exe 2006-10-16 20:02 32,768 --a------ C:\WINDOWS\qfjohcar.exe 2006-10-16 19:30 110,592 --a------ C:\WINDOWS\cfg32o.dll 2006-10-16 19:30 102,400 --a------ C:\WINDOWS\cfg32r.dll 2006-10-16 19:29 45,056 --a------ C:\WINDOWS\cfg32s.dll 2006-10-16 19:29 397,312 --a------ C:\WINDOWS\cfg32p.dll 2006-10-16 19:28 2 --a------ C:\WINDOWS\system32\wcpsvit.exe 2006-10-16 19:27 183,478 --a------ C:\WINDOWS\srvmbfmvyb.exe 2006-10-16 19:27 126,976 --a------ C:\WINDOWS\system32ouqr.dll 2006-10-16 19:26 45,056 --a------ C:\WINDOWS
ext06.exe 2006-10-16 19:26 32,768 --a------ C:\WINDOWS\unstall.exe 2006-10-16 19:26 217,276 --a------ C:\WINDOWS\srvolvwbml.exe 2006-10-16 19:25 40,960 --a------ C:\WINDOWS\webhdll.dll 2006-10-16 19:25 32,768 --a------ C:\WINDOWS\whInstaller.exe 2006-10-16 19:25 32,768 --a------ C:\WINDOWS\DXCecho.exe 2006-10-16 19:25 221,533 --a------ C:\WINDOWS\1011_emi03.exe 2006-10-16 19:25 147,456 --a------ C:\WINDOWS\aff_0006.exe 2006-10-11 13:51 115,131 --a------ C:\WINDOWS\system32\Eim03.exe 2006-10-11 12:39 96,932 --a------ C:\WINDOWS\system32	s_www2.exe 2006-10-10 20:39 78,848 --a------ C:\WINDOWS\system32
sg1DA.dll 2006-10-06 18:11 65,536 --a------ C:\WINDOWS\system32\Winwcd.dll 2006-09-30 14:52 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe 2006-09-30 14:49 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-22 15:11 -------- d-a------ C:\Program Files\Common Files 2006-10-22 13:30 -------- d-------- C:\Program Files\Mozilla Firefox 2006-10-19 16:19 -------- d-------- C:\Program Files\VSToolbar 2006-10-18 21:27 -------- d-------- C:\Program Files\SpywareRemover 2006-10-18 21:27 -------- d-------- C:\Program Files\ErrorGuard 2006-10-18 21:12 -------- d-------- C:\Program Files\LimeWire 2006-10-17 20:17 -------- d-------- C:\Program Files\Windows Media Player 2006-10-17 19:48 -------- d-------- C:\Program Files\Outlook Express 2006-10-17 19:48 -------- d-------- C:\Program Files\Common Files\System 2006-10-17 19:34 -------- d-------- C:\Program Files\Messenger 2006-10-17 16:31 -------- d-------- C:\Program Files\AOL 2006-10-17 16:31 -------- d-------- C:\Program Files\AOD 2006-10-17 16:18 -------- d-------- C:\Documents and Settings\electraa\Application Data\SearchToolbarCorp 2006-10-17 16:03 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2006-10-16 22:16 -------- d--h----- C:\Program Files\BHO Plugin 2006-10-13 21:35 -------- d-------- C:\Program Files\DogProxy2 2006-10-13 21:26 -------- d-------- C:\Program Files\Common Files\Companion Wizard 2006-09-30 14:50 -------- d-------- C:\Program Files\Setup 2006-09-24 11:04 -------- d-------- C:\Documents and Settings\electraa\Application Data\SpamBlockerUtility_Icons 2006-09-24 11:02 -------- d-------- C:\Documents and Settings\electraa\Application Data\SpamBlocker 2006-09-24 10:29 -------- d---s---- C:\Documents and Settings\electraa\Application Data\Microsoft 2006-09-23 11:29 94208 --a------ C:\WINDOWS\system32\stp.dll 2006-09-16 18:47 -------- d-------- C:\Program Files\Jasc Software Inc 2006-09-16 14:32 0 --a------ C:\WINDOWS\system32\Service.exe 2006-09-16 11:07 1038 --a------ C:\WINDOWS\system32\vcdqaaaa.exe 2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe 2006-09-13 01:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll 2006-09-10 10:08 -------- d-------- C:\Documents and Settings\electraa\Application Data\Mozilla 2006-09-06 20:13 -------- d-------- C:\Program Files\MSN Messenger 2006-09-06 19:19 -------- d-------- C:\Documents and Settings\electraa\Application Data\FunWebProducts 2006-08-27 08:14 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2006-08-25 11:53 561664 --a------ C:\WINDOWS\system32\comctl32.dll 2006-08-25 05:14 595968 --a------ C:\WINDOWS\system32\xpsp2res.dll 2006-08-16 08:14 95232 --a------ C:\WINDOWS\system32\6to4svc.dll 2006-08-16 08:14 70656 --a------ C:\WINDOWS\system32\ws2_32.dll 2006-08-16 08:14 54272 --a------ C:\WINDOWS\system32\ipv6mon.dll 2006-08-16 08:14 31232 --a------ C:\WINDOWS\system32\inetmib1.dll 2006-08-16 08:14 13312 --a------ C:\WINDOWS\system32\wship6.dll 2006-08-16 05:42 159232 --a------ C:\WINDOWS\system32\xpob2res.dll 2006-08-16 05:28 48640 --a------ C:\WINDOWS\system32\ipv6.exe 2006-08-16 05:27 83456 --a------ C:\WINDOWS\system32
etsh.exe 2006-08-07 11:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll 2006-07-30 17:07 745 --a------ C:\WINDOWSegof1.dll 2006-07-30 16:48 0 --a------ C:\WINDOWSegof2.dll 2006-07-30 16:46 917 --a------ C:\WINDOWS\system32mnl.dll 2006-07-30 15:40 88280 --a------ C:\Documents and Settings\electraa\Application Data\winantiviruspro2006freeinstall[1].exe

Electraa · Answer

(It was too long so Im posting the other half of ComboFix log) (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversionun] 'Creative Detector'='C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R' 'Zinio DLM'='C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart' 'b56f3f18.exe'='C:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exe' 'Aim6'='\'C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe\' /d locale=en-US ee://aol/imApp' 'Fdmlrmfc'='C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exe' [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun] 'QuickTime Task'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime' 'TkBellExe'='\'C:\Program Files\Common Files\Real\Update_OB\realsched.exe\' -osboot' 'BearShare'='\'C:\Program Files\BearShare\BearShare.exe\' /pause' 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe' 'ViewMgr'='C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe' 'b56f3f18.exe'='C:\WINDOWS\System32\b56f3f18.exe' 'nod32kui'='C:\Program Files\Eset\nod32kui.exe /WAITSERVICE' 'HostManager'='C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe' 'IPHSend'='C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe' 'AVG7_CC'='C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP' 'ClientGW'='' 'eSnips'='\'C:\Program Files\eSnips\ClientGW.exe\'' 'mmnext06'='C:\WINDOWS\next06.exe' [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun\OptionalComponents\IMAIL] 'Installed'='1' [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun\OptionalComponents\MAPI] 'Installed'='1' 'NoChange'='1' [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun\OptionalComponents\MSFS] 'Installed'='1' [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] 'DeskHtmlVersion'=dword:00000110 'DeskHtmlMinorVersion'=dword:00000005 'Settings'=dword:00000001 'GeneralFlags'=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] 'Source'='About:Home' 'SubscribedURL'='About:Home' 'FriendlyName'='My Current Home Page' 'Flags'=dword:00000002 'Position'=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:04,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 'RestoredStateInfo'=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversionun] 'CTFMON.EXE'='C:\WINDOWS\System32\CTFMON.EXE' 'AVG7_Run'='C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE' [HKEY_USERS\.default\software\microsoft\windows\currentversionunonce] 'RunNarrator'='' [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversionun] 'CTFMON.EXE'='C:\WINDOWS\System32\CTFMON.EXE' 'AVG7_Run'='C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE' [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversionunonce] 'RunNarrator'='' [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] '{438755C2-A8BA-11D1-B96B-00A0C90312E1}'='Browseui preloader' '{8C7461EF-2B13-11d2-BE35-3078302C2030}'='Component Categories cache daemon' [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] '{AEB6717E-7E19-11d0-97EE-00C04FD91972}'='' [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] 'dontdisplaylastusername'=dword:00000000 'legalnoticecaption'='' 'legalnoticetext'='' 'shutdownwithoutlogon'=dword:00000001 'undockwithoutlogon'=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] 'DirectX For Microsoft® Windows'='C:\WINDOWS\system32\fservice.exe' [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 'CDRAutoRun'=dword:00000000 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 'CDRAutoRun'=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] 'PostBootReminder'='{7849596a-48ea-486e-8937-a2a3009f31a9}' 'CDBurn'='{fbeb8a05-beee-4442-804e-409d6c4515e9}' 'WebCheck'='{E6FB5E20-DE35-11CF-9C87-00AA005127ED}' 'SysTray'='{35CEC8A3-2BE6-11D2-8773-92E220524153}' 'IEFilter'='{F6BBD367-19AF-4305-A209-0C53E4B359E5}' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] 'path'='C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk' 'backup'='C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup' 'location'='Common Startup' 'command'='C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE ' 'item'='Adobe Gamma Loader.exe' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk] 'path'='C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk' 'backup'='C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup' 'location'='Common Startup' 'command'='C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpobnz08.exe ' 'item'='hp psc 2000 Series' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] 'path'='C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk' 'backup'='C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup' 'location'='Common Startup' 'command'='C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe ' 'item'='Microsoft Works Calendar Reminders' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] 'path'='C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk' 'backup'='C:\WINDOWS\pss\officejet 6100.lnkCommon Startup' 'location'='Common Startup' 'command'='C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hposol08.exe ' 'item'='officejet 6100' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='ctfmon' 'hkey'='HKCU' 'command'='C:\WINDOWS\System32\ctfmon.exe' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iisvers] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='iisvers' 'hkey'='HKLM' 'command'='C:\WINDOWS\iisvers.exe' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='IndexSearch' 'hkey'='HKLM' 'command'='C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='WkUFind' 'hkey'='HKLM' 'command'='C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSS] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='ossproxy' 'hkey'='HKLM' 'command'='c:\windows\system32\ossproxy.exe -boot' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='pptd40nt' 'hkey'='HKLM' 'command'='C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PedalToTheMetalSetup.exe] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='PEDALT~1' 'hkey'='HKCU' 'command'='C:\MYDOWN~1\PEDALT~1.EXE /r' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='qttask' 'hkey'='HKLM' 'command'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='DrgToDsc' 'hkey'='HKLM' 'command'='\'C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe\'' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='hpgs2wnd' 'hkey'='HKLM' 'command'='C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='realsched' 'hkey'='HKLM' 'command'='\'C:\Program Files\Common Files\Real\Update_OB\realsched.exe\' -osboot' 'inimapping'='0' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wsrv32] 'key'='SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 'item'='wsrv32' 'hkey'='HKLM' 'command'='C:\WINDOWS\wsrv32.exe' 'inimapping'='0' HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ddccd HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\scklchk [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] 'SecurityProviders'='msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll' Contents of the 'Scheduled Tasks' folder C:\WINDOWS	asks\FRU Task #Hewlett-Packard#hp psc 2100 series#1089410931.job Completion time: 06-10-22 16:26:18.31 C:\ComboFix.txt ... 06-10-22 16:26

bamajim · Answer

Electraa Sorry for the delay, that was a lot to look through You may want to print out these instructions for reference We need to make sure we can see hidden files and folders Click Start. Click My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Uncheck the Hide file extensions for known file types. Click OK. First Open Notepad (Not Wordpad) Copy and paste the following into notepad (Making sure there is no space between the top of the window and the first line) REGEDIT4[HKEY_CURRENT_USER\software\microsoft\windows\currentversionun]'b56f3f18.exe'=-'Fdmlrmfc'=-[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun]'b56f3f18.exe'=-'mmnext06'=-[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]'{AEB6717E-7E19-11d0-97EE-00C04FD91972}'=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]'IEFilter'=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iisvers][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSS][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wsrv32][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ddccd][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\scklchk] After you copy and paste it your cursor should be at the end of the last line Hit Enter so your cursor is under the last line Click File->> Save as->>type in fix.reg->> Under ' Save as type' Select ' All Files'->> save it to your Desktop The fix.reg file should now appear on your Desktop Rt Click and Select merge (it will prompt do your want to merge Select Yes.) Next Re Run Hijackthis and place checks beside the following entries R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comR3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exeO2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dllO2 - BHO: (no name) - {0D299386-93AC-4D96-A194-4360902BB643} - C:\WINDOWS\System32\ddccd.dll (file missing)O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dllO2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dllO3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dllO3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)O4 - HKLM\..\Run: [b56f3f18.exe] C:\WINDOWS\System32\b56f3f18.exeO4 - HKLM\..\Run: [mmnext06] C:\WINDOWS
ext06.exeO4 - HKCU\..\Run: [b56f3f18.exe] C:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exeO4 - HKCU\..\Run: [Fdmlrmfc] C:\Documents and Settings\electraa\My Documents\?dobe\w?nspool.exeO15 - Trusted Zone: http://click.getmirar.com (HKLM)O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cabO16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cabO16 - DPF: {78996C9C-F96B-5C77-6664-72C706B46112} - http://85.255.115.229/1/gdnUS1402.exeO16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cabO16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cabO20 - Winlogon Notify: ddccd - C:\WINDOWS\System32\ddccd.dll (file missing)O20 - Winlogon Notify: scklchk - scklchk.dll (file missing)O21 - SSODL: IEFilter - {F6BBD367-19AF-4305-A209-0C53E4B359E5} - C:\WINDOWS\system32\IEFilter.dll (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe Close all other open windows except Hijackthis and Select ' Fix checked' Next Using Windows Explorer (Right click on 'Start,' select 'Explore,' and you will see the 'tree' of file folders in the left side of the window. Click on the '+' next to any folder name to expand its contents) Locate and delete the following folders C:\Program Files\VSToolbarC:\Program Files\ErrorGuardC:\Program Files\LimeWireC:\Program Files\BHO PluginC:\Documents and Settings\electraa\Application Data\FunWebProducts Locate and delete the following files C:\WINDOWS\system32\dccdd.bak1C:\WINDOWS\system32\lyqhmgak.exeC:\WINDOWS\qkihqgns.exeC:\dfndrff_e32.exeC:\mc44a2.exeC:\kybrdff_e32.exeC:\WINDOWS\sys015728335611.exeC:\WINDOWS\iconu.exeC:\WINDOWS\system32kupginstaller.exeC:\WINDOWS\system32lvknlg.exeC:\WINDOWS\icont.exeC:\WINDOWS\ms0483356115722006.exeC:\WINDOWS\qfjohcar.exeC:\WINDOWS\cfg32o.dllC:\WINDOWS\cfg32r.dllC:\WINDOWS\cfg32s.dllC:\WINDOWS\cfg32p.dllC:\WINDOWS\system32\wcpsvit.exeC:\WINDOWS\srvmbfmvyb.exeC:\WINDOWS\system32ouqr.dllC:\WINDOWS
ext06.exeC:\WINDOWS\unstall.exeC:\WINDOWS\srvolvwbml.exeC:\WINDOWS\webhdll.dllC:\WINDOWS\whInstaller.exeC:\WINDOWS\DXCecho.exeC:\WINDOWS\1011_emi03.exeC:\WINDOWS\aff_0006.exeC:\WINDOWS\system32\Eim03.exeC:\WINDOWS\system32	s_www2.exeC:\WINDOWS\system32
sg1DA.dllC:\WINDOWS\system32\Winwcd.dllC:\WINDOWS\NDNuninstall7_22.exeC:\WINDOWS\NDNuninstall6_38.exeC:\WINDOWS\system32\Service.exeC:\WINDOWS\system32\vcdqaaaa.exeC:\WINDOWS\uni_e6h.exeC:\WINDOWS\system32\BattyRun2.dllC:\WINDOWSegof1.dllC:\WINDOWSegof2.dllC:\WINDOWS\system32mnl.dllC:\Documents and Settings\electraa\Application Data\winantiviruspro2006freeinstall[1].exeC:\Documents and Settings\electraa\Local Settings\Application Data\b56f3f18.exeC:\WINDOWS\System32\b56f3f18.exeC:\WINDOWS
ext06.exeC:\WINDOWS\system32\fservice.exeC:\WINDOWS\iisvers.exec:\windows\system32\ossproxy.exeC:\WINDOWS\wsrv32.exe Close Windows explorer->> Reboot your PC->>Rerun Hijackhtis and post a fresh Hijackthis log   bamajim   Graduate of Malware Removal University   Message Edited by bamajim on 10-24-2006 03:17 PM

Electraa · Answer

Cool I think we did it! I no longer see the toolbars on the Internet Explorer! And I dont think there is any pop ups! (Im not getting none at least :)) Thank so much! I couldn't have done it without your help! If there is anything else I should do I would be happy to know it.

Thank you again!
Electra

Message Edited by Electraa on 10-28-2006 02:44 PM

Electraa · Answer

Ok I tried to delete all the files and folders I could. Some I couldnt find. But the one I did find, I deleted them. :) Here is my fresh log: Logfile of HijackThis v1.99.1 Scan saved at 3:30:28 PM, on 10/28/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\wuauclt.exe C:\H\H.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [BearShare] 'C:\Program Files\BearShare\BearShare.exe' /pause O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset
od32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149892265\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eSnips] 'C:\Program Files\eSnips\ClientGW.exe' O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart O4 - HKCU\..\Run: [Aim6] 'C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe' /d locale=en-US ee://aol/imApp O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm078YYUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\electraa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset
od32krn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Virus & Spyware

Spyware/popup problem/ Files missing

Was this post helpful?