Please Help me out get rid of Spyware.Look2me [CLOSED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Please Help me out get rid of Spyware.Look2me [CLOSED]

Options

dendorllc View Member Profile	Sep 12 2006, 01:06 PM Post #1
New Member Posts: 4 OS: windows XP	Here is my HijackThis.log please help me out. Logfile of HijackThis v1.99.1 Scan saved at 1:59:55 PM, on 9/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5450.0004) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\Duce6.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\eFax Messenger 4.1\J2GTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\ms0602790-16664.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\admin_2\Desktop\system tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mton.ru R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID} R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jqvog.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,umcsqgi.exe O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\admin_2\LOCALS~1\Temp\20051227140_mcappins.exe /v=3 /cleanup O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [Mton Ringtone Finder] "C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe" /autorun O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize O4 - HKLM\..\Run: [ms0602790-16664] C:\WINDOWS\ms0602790-16664.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [lkk33061] RUNDLL32.EXE w1e83e56.dll,n 0043305d000000031e83e56 O4 - HKLM\..\Run: [newname] C:\\nwnmff_17.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe" O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinspex.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ? O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing) O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Trevuren View Member Profile	Sep 12 2006, 03:59 PM Post #2
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Hi dendorlic and welcome to the Geeks to Go Forums. My name is Trevuren and I will be helping you with your log. Please download Qoofix by Rubber Ducky to your desktop. Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive Close all windows and programs, including internet windows. Go to C:\Qoofix and open the folder, then double click on Qoofix.exe Click Begin Removal and wait for the scan to finish If Qoofix finds an infection, select yes to restart your computer You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here along with a fresh HJT log. Regards, Trevuren

dendorllc View Member Profile	Sep 12 2006, 06:05 PM Post #3
New Member Posts: 4 OS: windows XP	Thank You, for your quick response. Here is both log files. 1. Qoofix Logfile Qoofix v1.03 by http://www.malwarebytes.org Scan started on [9/12/2006] at [6:52:04 PM] ------------------------------------------------------------- Terminated module: aoekxjt.dll found in Qoofix.exe (3776) Terminated module: aoekxjt.dll found in wscntfy.exe (1860) Terminated module: aoekxjt.dll found in explorer.exe (668) Terminated module: aoekxjt.dll found in jqvog.exe (212) Terminated module: aoekxjt.dll found in jqvog.exe (1264) Terminated module: aoekxjt.dll found in thekgb.exe (1940) Terminated module: aoekxjt.dll found in jqvog.exe (1108) Terminated module: aoekxjt.dll found in ctfmon.exe (2252) Terminated module: aoekxjt.dll found in SynTPLpr.exe (2452) Terminated module: aoekxjt.dll found in SynTPEnh.exe (2476) Terminated module: aoekxjt.dll found in TpShocks.exe (2636) Terminated module: aoekxjt.dll found in TPHKMGR.exe (2692) Terminated module: aoekxjt.dll found in EzEjMnAp.Exe (2724) Terminated module: aoekxjt.dll found in TPONSCR.exe (2808) Terminated module: aoekxjt.dll found in TpScrex.exe (2828) Terminated module: aoekxjt.dll found in ibmmessages.exe (2912) Terminated module: aoekxjt.dll found in ibmprc.exe (2952) Terminated module: aoekxjt.dll found in QCWLICON.EXE (3012) Terminated module: aoekxjt.dll found in rundll32.exe (3036) Terminated module: aoekxjt.dll found in rundll32.exe (3064) Terminated module: aoekxjt.dll found in GoogleDesktop.exe (3156) Terminated module: aoekxjt.dll found in realsched.exe (3164) Terminated module: aoekxjt.dll found in pptd40nt.exe (3232) Terminated module: aoekxjt.dll found in GoogleDesktopIndex.exe (3336) Terminated module: aoekxjt.dll found in J2GDllCmd.exe (3436) Terminated module: aoekxjt.dll found in MtonRingtoneFinder.exe (3468) Terminated module: aoekxjt.dll found in iTunesHelper.exe (3552) Terminated module: aoekxjt.dll found in qttask.exe (3580) Terminated module: aoekxjt.dll found in Duce6.exe (3660) Terminated module: aoekxjt.dll found in msmsgs.exe (3724) Terminated module: aoekxjt.dll found in GoogleDesktopCrawl.exe (3832) Terminated module: aoekxjt.dll found in WCESCOMM.EXE (456) Terminated module: aoekxjt.dll found in swdoctor.exe (796) Terminated module: aoekxjt.dll found in AcroTray.exe (480) Terminated module: aoekxjt.dll found in AIRPLUS.exe (684) Terminated module: aoekxjt.dll found in DLG.exe (2092) Terminated module: aoekxjt.dll found in J2GTray.exe (2192) Terminated module: aoekxjt.dll found in WZQKPICK.EXE (560) Terminated module: aoekxjt.dll found in Ymsgr_tray.exe (1840) Terminated module: aoekxjt.dll found in GoogleDesktopMail.exe (2776) Terminated module: aoekxjt.dll found in ms0602790-16664.exe (1188) ------------------------------------------------------------- C:\WINDOWS\system32\aoekxjt.dll will be deleted on reboot! C:\WINDOWS\system32\jqvog.exe will be deleted on reboot! C:\WINDOWS\system32\thekgb.exe will be deleted on reboot! C:\WINDOWS\system32\umcsqgi.exe will be deleted on reboot! C:\WINDOWS\system32\yftns.dat will be deleted on reboot! C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lpqlm.exe will be deleted on reboot! User prompted YES to reboot, system now rebooting... ------------------------------------------------------------- Scan COMPLETED SUCCESSFULLY on [9/12/2006] at [6:53:41 PM] Note: Some registry keys may have been removed. 2.HijackThis log file Logfile of HijackThis v1.99.1 Scan saved at 7:02:55 PM, on 9/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5450.0004) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ICQLite\ICQLite.exe C:\WINDOWS\ms0602790-16664.exe C:\WINDOWS\Duce6.exe C:\nwnmff_17.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\eFax Messenger 4.1\J2GTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\admin_2\Desktop\system tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mton.ru R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID} R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\admin_2\LOCALS~1\Temp\20051227140_mcappins.exe /v=3 /cleanup O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [Mton Ringtone Finder] "C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe" /autorun O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize O4 - HKLM\..\Run: [ms0602790-16664] C:\WINDOWS\ms0602790-16664.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [lkk33061] RUNDLL32.EXE w1e83e56.dll,n 0043305d000000031e83e56 O4 - HKLM\..\Run: [newname] C:\\nwnmff_17.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe" O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinspex.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ? O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Trevuren View Member Profile	Sep 12 2006, 08:18 PM Post #4
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	1. Download Ewido anti-spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete, run Ewido and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close Ewido anti-spyware, Do Not run a scan just yet 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! 4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. 5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess: Lauch ewido-anti-spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important) Close Ewido and reboot your system back into Normal Mode. 6. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let it do it�s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. Regards, Trevuren

dendorllc View Member Profile	Sep 13 2006, 02:28 AM Post #5
New Member Posts: 4 OS: windows XP	Here is the results: 1. Ewido log file --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:17:23 AM, 9/13/2006 + Report-Checksum: FE477256 + Scan result: :mozilla.19:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup :mozilla.35:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup :mozilla.42:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.43:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup :mozilla.46:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Gamingpromo : Cleaned with backup :mozilla.47:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Gamingpromo : Cleaned with backup :mozilla.48:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Gamingpromo : Cleaned with backup :mozilla.61:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup :mozilla.62:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup :mozilla.67:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup :mozilla.68:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup :mozilla.71:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup :mozilla.72:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup :mozilla.76:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup :mozilla.77:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup :mozilla.95:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup :mozilla.96:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup :mozilla.97:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup :mozilla.98:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup :mozilla.99:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup :mozilla.102:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.103:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.104:C:\Documents and Settings\admin_2\Application Data\Mozilla\Firefox\Profiles\y5th6h23.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@spylog[1].txt -> TrackingCookie.Spylog : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup C:\Documents and Settings\admin_2\Cookies\admin_2@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup C:\nwnmff_17.exe -> Downloader.Adload.fg : Cleaned with backup ::Report End 2. Hijackthis log file Logfile of HijackThis v1.99.1 Scan saved at 3:26:44 AM, on 9/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5450.0004) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\WINDOWS\system32\ctfmon.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ICQLite\ICQLite.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\eFax Messenger 4.1\J2GTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe C:\Documents and Settings\admin_2\Desktop\system tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mton.ru R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID} R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1 \pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1 \BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\admin_2\LOCALS~1\Temp\20051227140_mcappins.exe /v=3 /cleanup O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [Mton Ringtone Finder] "C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe" /autorun O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize O4 - HKLM\..\Run: [ms0602790-16664] C:\WINDOWS\ms0602790-16664.exe O4 - HKLM\..\Run: [lkk33061] RUNDLL32.EXE w1e83e56.dll,n 0043305d000000031e83e56 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" - quiet O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0 \Distillr\AcroTray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0 \Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ? O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1 \SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307- 00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32 \acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32 \ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32 \TpKmpSVC.exe

Trevuren View Member Profile	Sep 13 2006, 10:48 AM Post #6
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Your Notepad settings are currently causing you to post logs/reports in double space format which makes it very difficult for us to easily analyze your posts. I need you to post your log in single space format instead of double space as it currently is. To remove the double spacing in your log, please do the following: Please go to Start >> Run... and type notepad.exe Hit OK. Now go to Format and uncheck WordWrap. Close Notepad. A. Please provide a list of uninstallable programs. To Provide a List of Installed Programs Run HijackThis. Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List Save list to Desktop Copy the Notepad list and Paste it into this thread. B. Please post a fresh HJT log Regards, Trevuren

dendorllc View Member Profile	Sep 14 2006, 10:46 AM Post #7
New Member Posts: 4 OS: windows XP	Here it is: Uninstall List: ********************************************************** Access IBM Access IBM Message Center Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Download Manager 2.0 (Remove Only) Adobe Reader 7.0.8 AgentMetrics ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver ATI HYDRAVISION bet365poker BlackBerry Desktop Software 4.1 BlackBerry Desktop Software 4.1 Brother MFL-Pro Suite Canon Camera Support Core Library Canon Camera Window DS for ZoomBrowser EX Canon Camera Window DVC for ZoomBrowser EX Canon Camera Window for ZoomBrowser EX Canon MovieEdit Task for ZoomBrowser EX Canon PhotoRecord Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities PhotoStitch 3.1 Canon ZoomBrowser EX CleanUp! Comcast High-Speed Internet Install Wizard Crazy Browser version 1.05 Crazy Poker DD Poker 2 DivX DivX Converter DivX Player DivX Web Player DJ Java Decompiler v.3.9.9.91 D-Link AirPlus G Wireless LAN Adapter D-Link AirPlus Xtreme G Adapter eFax Messenger 4.1 ewido security suite FSBOTrac Full Tilt Poker Google Desktop Google Toolbar for Internet Explorer HijackThis 1.99.1 Hold'em Odds Calculator for PartyPoker and EmpirePoker 3.6 Full Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) hp LaserJet 1000 IBM 32-bit Runtime Environment for Java 2, v1.4.1 IBM Access Connections IBM Active Protection System IBM Integrated 56K Modem IBM Rescue and Recovery with Rapid Restore IBM Themes IBM ThinkPad Battery MaxiMiser and Power Management Features IBM ThinkPad Configuration IBM ThinkPad EasyEject Utility IBM ThinkPad Keyboard Customizer Utility IBM ThinkPad Power Management Driver IBM ThinkPad Presentation Director IBM ThinkPad UltraNav Driver IBM ThinkPad UltraNav Wizard IBM ThinkVantage Technologies Welcome Message IBM TrackPoint Accessibility Features IBM Update Connector ICQ 5.1 Inno Setup version 5.1.4 Intel® PRO Network Adapters and Drivers InterActual Player InterVideo WinDVD iPod Agent 1.1.2.0 iPod for Windows 2005-03-23 iPod for Windows 2006-01-10 iPod for Windows 2006-03-23 IrfanView (remove only) iTunes J2SE Runtime Environment 5.0 Update 1 J2SE Runtime Environment 5.0 Update 5 Java 2 Platform, Enterprise Edition 1.4 SDK Kaspersky Online Scanner KODAK EASYSHARE Gallery Upload ActiveX Control Macromedia Flash Player 8 Microsoft .NET Framework 1.1 Microsoft ActiveSync 3.7 Microsoft Office Professional Edition 2003 Mobile Media for PC Motorola Handset USB Driver Mozilla Firefox (1.5.0.6) MSN Music Assistant Mton Ringtone Finder MySQL-Front 3.2 PaperPort PartyPoker PC-Doctor for Windows Poker Indicator 1.4.2 Poker Tracker Version 2.09.03 PokerStars QuickTime RealPlayer ReGet Deluxe 4.1a Registry Mechanic 5.0 Routis Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) SmartFTP Client 2.0 SmartFTP Client 2.0 Setup Files (remove only) Sol-3 Demotrader Spyware Doctor 3.2 Stamps.com TextPad 4.7 Think-Adz Search Assistant removal ThinkPad FullScreen Magnifier ThinkPad Software Installer TightVNC 1.2.9 TVUPlayer 1.5.12 UltimateBet Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Venta Fax & Voice 5.5 (remove/restore) Wallpapers Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Beta 3 Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 WinRAR archiver WinZip Yahoo! Messenger Yahoo! Toolbar ************************************************************************ HijackThis Log File Logfile of HijackThis v1.99.1 Scan saved at 11:45:45 AM, on 9/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5450.0004) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ICQLite\ICQLite.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\eFax Messenger 4.1\J2GTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\TextPad 4\TextPad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\admin_2\Desktop\system tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mton.ru R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID} R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\admin_2\LOCALS~1\Temp\20051227140_mcappins.exe /v=3 /cleanup O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [Mton Ringtone Finder] "C:\Program Files\Mton Ringtone Finder\MtonRingtoneFinder.exe" /autorun O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize O4 - HKLM\..\Run: [ms0602790-16664] C:\WINDOWS\ms0602790-16664.exe O4 - HKLM\..\Run: [lkk33061] RUNDLL32.EXE w1e83e56.dll,n 0043305d000000031e83e56 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ? O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Trevuren View Member Profile	Sep 14 2006, 11:36 AM Post #8
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	In the next series of procedures I will be strongly recommending that you UNINSTALL certain rogue programs. These programs either contain malware themselves or come bundled with malware. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mton.ru R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O4 - HKLM\..\Run: [ms0602790-16664] C:\WINDOWS\ms0602790-16664.exe O4 - HKLM\..\Run: [lkk33061] RUNDLL32.EXE w1e83e56.dll,n 0043305d000000031e83e56 O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file) Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using the Add/Remove Programs module in your Control Panel, please UNINSTALL the following program(s): Full Tilt Poker Party Poker Poker Stars Utimate Bet Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present): C:\WINDOWS\ms0602790-16664.exe<==File C:\Windows\System32\w1e83e56.dll<==File C:\WINDOWS\system32\dwdsregt.exe<==File C:\Program Files\UltimateBet<==Folder and all its content C:\Program Files\PartyGaming<==Folder and all its content C:\Program Files\Poker Stars<==Folder and all its content C:\Program Files\Full Tilt Poker<==Folder and all its content Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. Regards, Trevuren

Trevuren View Member Profile	Sep 26 2006, 10:32 PM Post #9
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal please help me to get rid of winfixer and other pop-ups	11 / 772	16th December 2005 - 10:43 PM microbe started - last by loophole
Virus, Spyware and Trojan Removal Could you, please, help me to get rid of the Dr.Watson Debugger Virus?	0 / 393	15th January 2006 - 11:03 AM Sok started - last by Sok
Virus, Spyware and Trojan Removal Please help me to be rid of this Look2Me disaster once and for all	0 / 407	7th February 2006 - 04:10 AM Soviet Monkey started - last by Soviet Monkey
Virus, Spyware and Trojan Removal Please help me to get rid of some trojan's [CLOSED]	14 / 3,427	25th May 2006 - 11:12 PM tonze started - last by RiP