Trying to remove oinadserver [RESOLVED]

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

2 Pages

1 2 >

Trying to remove oinadserver [RESOLVED], I am posting to log asd instructed. I appreciate the help!

Options

Mr. T View Member Profile	May 19 2006, 07:14 PM Post #1
Member Posts: 10 OS: Windows xp	Logfile of HijackThis v1.99.1 Scan saved at 9:03:37 PM, on 5/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Cox\Applications\app\Prism.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\eM\Bay Reader\Shwicon2k.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\PROGRA~1\COMMON~1\PPATCH~1\logonui.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\S?mantec\wucrtupd.exe C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\Documents and Settings\Troy Lara\Desktop\Hijack This\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D834909-E16D-0DC5-8700-115508A12248} - C:\WINDOWS\System32\erbhtzbk.dll (file missing) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file) O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe O4 - HKLM\..\Run: [test] c:\windows\system32\test.exe /nocomm O4 - HKLM\..\Run: [R76zySi] C:\documents and settings\troy lara\local settings\temp\R76zySi.exe O4 - HKLM\..\Run: [SwH7] C:\documents and settings\troy lara\local settings\temp\SwH7.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\PPATCH~1\logonui.exe" -vt ndrv O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [Vhkivvf] C:\Program Files\S?mantec\wucrtupd.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

__RiP_ChAiN_ View Member Profile	May 19 2006, 07:19 PM Post #2
Malware Expert Posts: 8,077 From: Omaha, Nebraska U.S.A OS: Windows XP Professional/Windows Vista Ultimate x64/x86	Hello, Mr. T. 1. Please download Ewido Anti-Malware Install ewido anti-malware Launch ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. 4. Once in Safe Mode, Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. 5. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Mr. T View Member Profile	May 19 2006, 10:06 PM Post #3
Member Posts: 10 OS: Windows xp	--------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 11:39:37 PM, 5/19/2006 + Report-Checksum: 5E096D1C + Scan result: HKLM\SOFTWARE\BTIEIN -> Adware.WebSearch : Error during cleaning HKLM\SOFTWARE\BTIEIN\BTIEIN -> Adware.WebSearch : Error during cleaning HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Adware.WebSearch : Error during cleaning HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Adware.WebSearch : Error during cleaning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\common.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\nzqlihv.wzg -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq28.tmp\common.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq28.tmp\nzqlihv.wzg -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq45.tmp\common.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq45.tmp\nzqlihv.wzg -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq45.tmp\Update\toolbar.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq46.tmp -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq69.tmp\common.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq69.tmp\nzqlihv.wzg -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq82.tmp\common.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq82.tmp\nzqlihv.wzg -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/Save.exe -> Adware.SaveNow : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/SaveUninst.exe -> Adware.SaveNow : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/Save.exe -> Adware.SaveNow : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/SaveUninst.exe -> Adware.SaveNow : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/Search.exe -> Adware.SaveNow : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/Search.exe -> Adware.SaveNow : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/DnldStub.exe -> Downloader.Small.kl : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe/DnldStub.exe -> Downloader.Small.kl : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SLWBl.dll -> Adware.Midaddle : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~321133.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~368520.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~373898.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~429130.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~437362.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~443044.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~461120.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~465520.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~471804.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~471997.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~479627.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~534842.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~539658.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~568039.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~573288.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~574667.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~582237.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~599096.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~616636.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~663882.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~688149.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~696327.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~703753.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~707240.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~716483.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~721343.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~727229.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~756374.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~779502.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~815836.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~831525.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~855235.tmp -> Adware.Wintol : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temp\~885614.tmp -> Downloader.Wintool.d : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\C96RW1QJ\common[1].cab/common.dll -> Adware.WebSearch : Cleaned without backup C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\GLWF47SZ\WinTA[1].cab/WToolsA.exe -> Adware.Wintol : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\IXGRA1Q5\TBPS[2].cab/TBPS.exe -> Adware.WebSearch : Error during cleaning C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\STQN8DMJ\tb3[1].cab/toolbar.dll -> Adware.WebSearch : Error during cleaning C:\Documents and Settings\Michelle Lara\Start Menu\Programs\ClockSync -> Adware.WhenU : Cleaned without backup C:\Documents and Settings\Michelle Lara\Start Menu\Programs\ClockSync\ClockSync.lnk -> Adware.WhenU : Cleaned without backup :mozilla.14:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup :mozilla.15:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup :mozilla.24:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned without backup :mozilla.25:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned without backup :mozilla.30:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned without backup :mozilla.31:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned without backup :mozilla.33:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Bfast : Cleaned without backup :mozilla.35:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned without backup :mozilla.39:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Hitslink : Cleaned without backup :mozilla.40:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Hitslink : Cleaned without backup :mozilla.41:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Hitslink : Cleaned without backup :mozilla.42:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Hitslink : Cleaned without backup :mozilla.68:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned without backup :mozilla.71:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Realtracker : Cleaned without backup :mozilla.72:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Web-stat : Cleaned without backup :mozilla.73:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Web-stat : Cleaned without backup :mozilla.74:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned without backup :mozilla.84:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup :mozilla.89:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned without backup :mozilla.92:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned without backup :mozilla.99:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup :mozilla.101:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned without backup :mozilla.102:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned without backup :mozilla.106:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup :mozilla.107:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup :mozilla.108:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup :mozilla.109:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup :mozilla.110:C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup C:\Documents and Settings\Troy Lara\Cookies\troy lara@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned without backup C:\Documents and Settings\Troy Lara\Cookies\troy lara@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned without backup C:\Documents and Settings\Troy Lara\Cookies\troy lara@overture[1].txt -> TrackingCookie.Overture : Cleaned without backup C:\Program Files\Red Storm Entertainment\Rogue Spear\MSN\MsnSetup\msnSetup.exe -> Heuristic.Win32.AVKiller : Cleaned without backup C:\WINDOWS\Downloaded Program Files\v2.dll -> Adware.EliteBar : Cleaned without backup ::Report End

Mr. T View Member Profile	May 19 2006, 10:08 PM Post #4
Member Posts: 10 OS: Windows xp	Thanks! I hope this is all you need. AWESOME!

__RiP_ChAiN_ View Member Profile	May 20 2006, 07:15 AM Post #5
Malware Expert Posts: 8,077 From: Omaha, Nebraska U.S.A OS: Windows XP Professional/Windows Vista Ultimate x64/x86	Hello, Mr. T. Please download the Killbox by Option^Explicit. ( Save it to your desktop. ) Note: In the event you already have Killbox, this is a new version that I need you to download. Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote: QUOTE REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN] [-HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN\BTIEIN] [-HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN\BTIEIN\taskcache] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WToolsB.ResProtocol] Save it to your desktop as fix133.reg and as Type "All files" Double click on fix133.reg and allow when prompted to let it merge with the registry. Run Killbox: Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button. Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\GLWF47SZ\WinTA[1].cab/WToolsA.exe C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\IXGRA1Q5\TBPS[2].cab/TBPS.exe C:\Documents and Settings\Michelle Lara\Local Settings\Temporary Internet Files\Content.IE5\STQN8DMJ\tb3[1].cab/toolbar.dll C:\Documents and Settings\Michelle Lara\Local Settings\Temp\SaveInstCsS.exe Return to Killbox, go to the File menu, and choose Paste from Clipboard. Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message! If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. Reboot into Normal Mode. Please post back with a new HijackThis log, as well. This post has been edited by __RiP_ChAiN_: May 20 2006, 07:19 AM

Mr. T View Member Profile	May 20 2006, 03:51 PM Post #6
Member Posts: 10 OS: Windows xp	I did get the message: PendingFileRenameOperations prompt Logfile of HijackThis v1.99.1 Scan saved at 5:49:22 PM, on 5/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoctrl.exe C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Cox\Applications\app\Prism.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\eM\Bay Reader\Shwicon2k.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\PROGRA~1\COMMON~1\PPATCH~1\logonui.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\S?mantec\wucrtupd.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Documents and Settings\Troy Lara\Desktop\Hijack This\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D834909-E16D-0DC5-8700-115508A12248} - C:\WINDOWS\System32\erbhtzbk.dll (file missing) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file) O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe O4 - HKLM\..\Run: [test] c:\windows\system32\test.exe /nocomm O4 - HKLM\..\Run: [R76zySi] C:\documents and settings\troy lara\local settings\temp\R76zySi.exe O4 - HKLM\..\Run: [SwH7] C:\documents and settings\troy lara\local settings\temp\SwH7.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\PPATCH~1\logonui.exe" -vt ndrv O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [Vhkivvf] C:\Program Files\S?mantec\wucrtupd.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

__RiP_ChAiN_ View Member Profile	May 20 2006, 05:11 PM Post #7
Malware Expert Posts: 8,077 From: Omaha, Nebraska U.S.A OS: Windows XP Professional/Windows Vista Ultimate x64/x86	Hello, Mr. T. Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later. Please download the Killbox by Option^Explicit. ( Save it to your desktop. ) Note: In the event you already have Killbox, this is a new version that I need you to download. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {4D834909-E16D-0DC5-8700-115508A12248} - C:\WINDOWS\System32\erbhtzbk.dll (file missing) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file) O4 - HKLM\..\Run: [test] c:\windows\system32\test.exe /nocomm O4 - HKLM\..\Run: [R76zySi] C:\documents and settings\troy lara\local settings\temp\R76zySi.exe O4 - HKLM\..\Run: [SwH7] C:\documents and settings\troy lara\local settings\temp\SwH7.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\PPATCH~1\logonui.exe" -vt ndrv O4 - HKCU\..\Run: [Vhkivvf] C:\Program Files\S?mantec\wucrtupd.exe O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis. Boot into Safe Mode: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. Using Windows Explorer delete the following folders (if present): (To get into Windows Explorer, right click the START button and select "explore.") C:\Program Files\Common Files\PPATCH~1 C:\Program Files\S?mantec (Before deleting this folder make sure the file wucrtupd.exe is inside.) Run Killbox: Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button. Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): c:\windows\system32\test.exe C:\documents and settings\troy lara\local settings\temp\R76zySi.exe C:\documents and settings\troy lara\local settings\temp\SwH7.exe Return to Killbox, go to the File menu, and choose Paste from Clipboard. Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message! If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. Reboot into Normal Mode. Please post back with a fresh HJT log and an update on how your computer is running.

Mr. T View Member Profile	May 20 2006, 06:55 PM Post #8
Member Posts: 10 OS: Windows xp	I got the message: PendingFileRenameOperations prompt The only thing my Spyware remover can't remove is something called "Huntbar" Everything else seems GREAT! Here is the log: Logfile of HijackThis v1.99.1 Scan saved at 8:54:42 PM, on 5/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoctrl.exe C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Cox\Applications\app\Prism.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\eM\Bay Reader\Shwicon2k.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Troy Lara\Desktop\Hijack This\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Troy Lara\Application Data\Mozilla\Profiles\default\lzg6seb4.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D834909-E16D-0DC5-8700-115508A12248} - C:\WINDOWS\System32\erbhtzbk.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Troy Lara\Desktop\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

__RiP_ChAiN_

May 20 2006, 09:56 PM

Post