Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop-up Browser Issues!


  • Please log in to reply

#1
LisAK

LisAK

    New Member

  • Member
  • Pip
  • 3 posts
I have Ad-Aware SE Personal on my computer and have run several scans, in safe mode and regular mode. However, these particular files:

C:\WINNT\system32/lv8m09l1e.dll
C:\WINNT\VXNlcg\command.exe
C:\WINNT\VXNlcg\asappsrv.dll
C:\Program Files\Network Monitor\netmon.exe

cannot be deleted because they are in use (or something along those lines). I've had a horrible time with pop-up browsers before and had to restore my drive image, but I would prefer not to go through all of that again.

Here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:17 PM, on 9/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\VXNlcg\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\program files\popupwithcast\septpop06apsept.exe
C:\dfndrff_e1.exe
C:\PROGRA~1\COMMON~1\CURITY~1\ping.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\J River\Media Jukebox\Media Jukebox.exe
C:\Program Files\utorrent\utorrent.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Docs\Downloads\HijackThis.exe

R3 - URLSearchHook: (no name) - {83E3A410-6CD3-6323-F2FE-121349AE3F99} - C:\WINNT\system32\rncfhgb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [iop61fa0] RUNDLL32.EXE w025299a.dll,n 00461f9c0000000a025299a
O4 - HKLM\..\Run: [newname] C:\\nwnmff_18.exe
O4 - HKLM\..\Run: [xload] "C:\WINNT\xload.exe"
O4 - HKCU\..\Run: [Hbac] "C:\PROGRA~1\COMMON~1\CURITY~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Ybkx] \??anregw.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...138302D2D2D.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\User\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: Setup - C:\WINNT\system32\lv8m09l1e.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VXNlcg\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\system32\lxbscoms.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


Is there any hope for me?
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :blink:

Yes theres hope :whistling: This will take a few steps to clean up

1. Download Ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete, run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
  • Close Ewido and reboot your system back into Normal Mode.
6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
  • 0

#3
LisAK

LisAK

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for such a quick response!

When I tried to run Ewido in Safe Mode, it came up with an error that it saved as "ewido.err" in the "C:\Program Files\ewido anti-spyware 4.0" folder. So I restarted the computer in Normal Mode and came up with these errors:

Project1
"Run-time error ‘76’: Path not found"

RUNDLL
“Error loading w025299a.dll: The specified module could not be found.”
“An exception error occurred while trying to run “C:\WINNT\system32\dvrgres.dll”,DllGetVersion””

I was able to successfully complete an Ewido scan in Normal Mode, but while I was running BFU, an error popped up that said: "Run-time error '28': Out of stack space" and closed itself.



Here's the new Hijack This scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:16 PM, on 9/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\kybrdff_18.exe
C:\PROGRA~1\COMMON~1\CURITY~1\ping.exe
C:\??anregw.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
D:\My Docs\Downloads\HijackThis.exe

R3 - URLSearchHook: (no name) - {83E3A410-6CD3-6323-F2FE-121349AE3F99} - C:\WINNT\system32\rncfhgb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBStime.dll,[email protected]
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iop61fa0] RUNDLL32.EXE w025299a.dll,n 00461f9c0000000a025299a
O4 - HKCU\..\Run: [Hbac] "C:\PROGRA~1\COMMON~1\CURITY~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Ybkx] \??anregw.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...138302D2D2D.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\User\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: App Management - C:\WINNT\system32\m8lsli3718.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0a\guard.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\system32\lxbscoms.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looks like it did help even with all those errors :whistling:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
LisAK

LisAK

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here's the ComboFix Log:


User - Sun 09/17/2006 17:03:17.20 Service Pack 4
ComboFix 06.09.14 - Running from: C:\Documents and Settings\User\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{8A098A57-8586-4D49-9EB0-045519743EFB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A098A57-8586-4D49-9EB0-045519743EFB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A098A57-8586-4D49-9EB0-045519743EFB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A098A57-8586-4D49-9EB0-045519743EFB}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CA2EAD9F-93A2-40C3-8ABE-32F6415E51D1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA2EAD9F-93A2-40C3-8ABE-32F6415E51D1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA2EAD9F-93A2-40C3-8ABE-32F6415E51D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA2EAD9F-93A2-40C3-8ABE-32F6415E51D1}\InprocServer32]
@="C:\\WINNT\\system32\\IEHLPAPI.DLL"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\system32\IEHLPAPI.DLL
C:\WINNT\system32\en2ql1f51.dll
C:\WINNT\system32\lv0m09d1e.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\kybrdff_18.exe
C:\WINNT\system32\wtscc.exe
C:\WINNT\Eim03.exe
C:\Documents and Settings\Default User\Application Data\NetMon
C:\Program Files\Cowabanga
C:\Program Files\Deskbar

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINNT\STEM~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1\??curity
C:\QooBox\Purity\Program Files\Common Files\CURITY~1\ping.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-17 to 2006-09-17 ))))))))))))))))))))))))))))))))))


2006-09-13 19:23 155,136 --a------ C:\WINNT\system32\oins.exe
2006-09-13 19:21 409,600 -r-hs---- C:\??anregw.exe
2006-09-13 19:21 131,072 --a------ C:\WINNT\system32\rncfhgb.dll
2006-09-13 19:19 61,952 --a------ C:\WINNT\system32\iop61fa0.dll
2006-09-13 19:19 1,233 --a------ C:\WINNT\system32\iop61fa0.sys
2006-09-13 19:18 267,228 --a------ C:\WINNT\popupwithcast.exe
2006-09-13 19:18 184,795 --a------ C:\WINNT\YazzleBundle-1264.exe
2006-08-25 14:21 90,112 --a------ C:\WINNT\unvise32.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-14 13:15 -------- d-------- C:\Program Files\ewido anti-spyware 4.0a
2006-09-14 12:48 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-13 20:31 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-13 20:31 -------- d-------- C:\Documents and Settings\User\Application Data\Mozilla
2006-09-13 20:26 -------- d-------- C:\Program Files\Lavasoft
2006-09-13 20:26 -------- d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2006-09-13 19:23 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-08-31 10:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-31 09:41 409600 -r-hs---- C:\??anregw.exe
2006-08-25 14:21 -------- d-------- C:\Program Files\Finale NotePad 2005a
2006-08-14 19:52 78848 --a------ C:\WINNT\system32\nsg1D.dll
2006-08-09 03:26 278528 --a------ C:\WINNT\system32\livesnth.dll
2006-07-28 22:51 -------- d-------- C:\Program Files\Real
2006-07-28 22:51 -------- d-------- C:\Documents and Settings\User\Application Data\Real
2006-07-23 01:06 309680 --a------ C:\tskmgr.exe
2006-07-23 01:05 309680 --a------ C:\wsetup.exe
2006-07-22 13:15 -------- d-------- C:\Program Files\utorrent
2006-07-22 13:10 -------- d-------- C:\Program Files\Lexmark


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hbac"="\"C:\\PROGRA~1\\COMMON~1\\CURITY~1\\ping.exe\" -vt yazb"
"Ybkx"="\\??anregw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"LXBSCATS"="rundll32 C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,[email protected]"
"MemoryCardManager"="C:\\Program Files\\Lexmark\\Lexmark Precision Photo\\MemCard.exe -startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iop61fa0"="RUNDLL32.EXE w025299a.dll,n 00461f9c0000000a025299a"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Sun 2006-09-17 17:05:03.45
ComboFix.txt
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again :whistling:

Sorry for the slow reply

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKLM\..\Run: [iop61fa0] RUNDLL32.EXE w025299a.dll,n 00461f9c0000000a025299a
O4 - HKCU\..\Run: [Hbac] "C:\PROGRA~1\COMMON~1\CURITY~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Ybkx] \??anregw.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...138302D2D2D.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\oins.exe
    C:\WINNT\system32\rncfhgb.dll
    C:\WINNT\system32\iop61fa0.dll
    C:\WINNT\system32\iop61fa0.sys
    C:\WINNT\popupwithcast.exe
    C:\WINNT\YazzleBundle-1264.exe
    C:\WINNT\unvise32.exe
    C:\tskmgr.exe
    C:\wsetup.exe
    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    C:\Program Files\Common Files\Yazzle1281OinAdmin.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post a new hijack log when done

Thanks :blink:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP