1. right after powerup IE6 goes and attempts to reach http://iesettingsupdate
2. unable to activate Windows firewall settings, are all locked out
Here is a log of Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 9:05:08 AM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\kybrdff_e9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\win3206021316363.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\program files\popupwithcast\septpop06apsept.exe
C:\dfndrff_e9.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\sys09316363021.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\win3208131636302.exe
c:\kybrdff_e12.exe
C:\DOCUME~1\Joe\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
c:\dfndrff_e12.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iesettingsupdate/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bpmbton.exe
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [w11f5c83.dll] RUNDLL32.EXE w11f5c83.dll,I2 0028e58b011f5c83
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e12.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [win3208131636302] C:\WINDOWS\win3208131636302.exe
O4 - HKLM\..\Run: [win3207213163630] C:\WINDOWS\win3207213163630.exe
O4 - HKLM\..\Run: [win3206021316363] C:\WINDOWS\win3206021316363.exe
O4 - HKLM\..\Run: [vg2juy8g] C:\Program Files\vg2juy8g\vg2juy8g.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [Oaydvci] C:\Program Files\Naqtpbl\Ovlf.exe
O4 - HKLM\..\Run: [ms04630213163] C:\WINDOWS\ms04630213163.exe
O4 - HKLM\..\Run: [fahnmyq] C:\WINDOWS\system32\rgoldx.exe r
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e12.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [sys09316363021] C:\WINDOWS\sys09316363021.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\k4620ejoehoc0.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Si4gVHdhcmRvd3NraQ\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\cjnr4r4ydfhj.exe
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINDOWS\svslogon.exe (file missing)
Here is a log of DLLCompare:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\rwpcfgex.dll Tue Sep 19 2006 10:00:24p ..S.R 234,519 229.02 K
C:\WINDOWS\SYSTEM32\kqdgkl.dll Tue Sep 19 2006 10:06:38p ..S.R 234,519 229.02 K
C:\WINDOWS\SYSTEM32\ihm32.dll Tue Sep 19 2006 10:17:54p ..S.R 236,160 230.63 K
C:\WINDOWS\SYSTEM32\wsnetmgr.dll Tue Sep 19 2006 10:41:50p ..S.R 236,408 230.87 K
C:\WINDOWS\SYSTEM32\weploc.dll Tue Sep 19 2006 10:22:18p ..S.R 236,160 230.63 K
C:\WINDOWS\SYSTEM32\hp4023~1.dll Sat Sep 23 2006 9:02:50a ..S.R 234,269 228.78 K
C:\WINDOWS\SYSTEM32\mvr4l9~1.dll Tue Sep 19 2006 10:16:38p ..S.R 234,519 229.02 K
C:\WINDOWS\SYSTEM32\j2n2lc~1.dll Tue Sep 19 2006 10:00:24p ..S.R 235,771 230.24 K
C:\WINDOWS\SYSTEM32\m4460e~1.dll Tue Sep 19 2006 10:30:34p ..S.R 236,160 230.63 K
C:\WINDOWS\SYSTEM32\p4p6le~1.dll Tue Sep 19 2006 10:22:18p ..S.R 234,085 228.60 K
C:\WINDOWS\SYSTEM32\k4620e~1.dll Wed Sep 20 2006 10:26:52p ..S.R 236,408 230.87 K
________________________________________________
1,283 items found: 1,283 files (11 H/S), 0 directories.
Total of file sizes: 270,287,986 bytes 257.77 M
Administrator Account = True
--------------------End log---------------------