[nypd73]

Logfile of HijackThis v1.99.1
Scan saved at 10:23:00 AM, on 4/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\csrss.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\AOL\1129041702\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\updater.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
c:\program files\common files\aol\1129041702\ee\aolsoftware.exe
C:\PROGRA~1\DOBE~1\RSS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ls0.net/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.c...E5pDy7f4vLHqecS
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vmnhv.exe
F2 - REG:system.ini: UserInit=userinit.exe,hiulgxv.exe
O2 - BHO: (no name) - {12E3F61A-6C83-195F-F03D-6AE336EFAAEF} - C:\WINDOWS\System32\emx.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {3EA86C72-E543-0FC2-8422-615505F57E3F} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {59911980-5BC0-413D-AF78-E83C406FEC63} - {59911980-5BC0-413D-AF78-E83C406FEC63} - blank (file missing)
O2 - BHO: (no name) - {850D8646-ED2B-44E5-AB2B-18A3EF7F1DC1} - blank (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPLJ Config] "C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1129041702\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [w0191534.dll] "RUNDLL32.EXE" w0191534.dll,I2 0006b16e00191534
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\updater.exe" 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Rqbzezm] C:\PROGRA~1\DOBE~1\RSS~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://goldenrivier...lay/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.traf...et/10306-23.exe
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdbeke.dll inicfg32.dll,
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: CDRecorder036 - {A3BC5E20-0235-1ABF-9CE1-00AA00512036} - C:\WINDOWS\System32\dbkjwf32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Advertisements]

Hello nypd73

I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

[ourwilly]

Hello nypd73

I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

[ourwilly]

Hello nypd73

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Step 1

Go to Start > Control Panel > Add/Remove Programs and Uninstall the following (if present):

ewido security suite
E2Give Browser Add On
E2give Plug-in
Oin
or anything with by Oin in it.


Now Please download the OTMoveIt from here:
http://download.blee...er/OTMoveIt.exe

Save it to your desktop we shall use this later.


Step 2

Scan with HijackThis again and place a checkmark in the boxes before the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ls0.net/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.c...E5pDy7f4vLHqecS
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vmnhv.exe
F2 - REG:system.ini: UserInit=userinit.exe,hiulgxv.exe
O2 - BHO: (no name) - {12E3F61A-6C83-195F-F03D-6AE336EFAAEF} - C:\WINDOWS\System32\emx.dll
O2 - BHO: (no name) - {3EA86C72-E543-0FC2-8422-615505F57E3F} - blank (file missing)
O2 - BHO: {59911980-5BC0-413D-AF78-E83C406FEC63} - {59911980-5BC0-413D-AF78-E83C406FEC63} - blank (file missing)
O2 - BHO: (no name) - {850D8646-ED2B-44E5-AB2B-18A3EF7F1DC1} - blank (file missing)
O4 - HKLM\..\Run: [w0191534.dll] "RUNDLL32.EXE" w0191534.dll,I2 0006b16e00191534
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\updater.exe" 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.traf...et/10306-23.exe
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdbeke.dll inicfg32.dll,
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
O21 - SSODL: CDRecorder036 - {A3BC5E20-0235-1ABF-9CE1-00AA00512036} - C:\WINDOWS\System32\dbkjwf32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Close any Explorer windows which may be open and click the "Fix Checked" button.


Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Windows\System32\tcpipmon.exe
C:\WINDOWS\System32\vmnhv.exe
C:\WINDOWS\System32\hiulgxv.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\System32\a3dxq.dll
C:\WINDOWS\System32\dbkjwf32.dll
C:\WINDOWS\System32\kbdbeke.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Step 3

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close AVG AS.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the AVG Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 4

Download the latest SmitfraudFix by S!Ri from either of these mirrors to your desktop:

http://siri.urz.free...mitfraudFix.zip
http://siri.geekstog...mitfraudFix.zip

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.
Open the SmitfraudFix folder and double-click "smitfraudfix.cmd"
Select option #1 - "Search" by typing "1" and press "Enter".
Please copy & paste the SmitfraudFix text file which appears back here please.


Step 5

Please Open Hijackthis
Click Open Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as Uninstall_list.txt

In your next reply please post:

1/ A new HijackThis log
2/ The Uninstall_list.txt
2/ The AVG Anti-Spyware 7.5 Report-Scan.txt
3/ The SmitfraudFix text file

Thank you.

[nypd73]

Thank you for the imput. But when I tried to turn on his machine today i received the error message:

Windows could not start because of an error in the software.
Please report this problem as:
load needed DLLs for Kernel

Please contact your support person to report this problem


Keep in mind this is my fathers eMachine (yick) and I do not believe he has a WinXP home CD

[ourwilly]

Hello nypd73

Need to ask a few question's I'm afraid

Since the 4/21/2007 showing in the hJT log has anything been Installed or changed on this system and are you able to start this system in Safe Mode, If you can are you able to use System Restore to around this time period:

Shut down your system, then Restart your computer as soon as it starts booting up again continuously tap F8. from the menu select the option to enter Safe Mode
Click Start, point to Programs - Accessories - System Tools - System Restore

Then choose an earlier "Restore point" If this works please post a new HJT log

and I do not believe he has a WinXP home CD

You sound a little unsure.. if he does own a copy of WinXP home CD then This Link will help

Following on from that is troubleshooting startup problems in Windows XP

Does your father have any of the Original Disk's that came with this system and is he able to Re-install Windows XP or at least have some form of Back-up he can count on.

Thank you.

[nypd73]

Yes he has the 2 "restore" disks that came with the emachine. when I load them in i get 2 options.
Boot to command prompt or re-store windows. When I go to restore windows i get a warning that all info will be lost, is this true????

[ourwilly]

Hello nypd73

Hmm.. the command prompt may give you the option to use System Restore

http://www.lockergno...mpt-xp-prohome/

This may allow you to be able to Back-up and Save anything that is important..

But I do recommend that you consider Re-installing Windows as this system is Badly infected..

Please let me know what you decide

Thank you.