Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

aaawebsearch[RESOLVED]

Started by kfinne , Apr 30 2005 08:46 PM

This topic is locked

#1
kfinne

Posted 30 April 2005 - 08:46 PM

New Member

Member
9 posts

i have downloaded hijack this and did the scan. i am not sure what to check off. Here is my log:Logfile of HijackThis v1.99.1
Scan saved at 10:42:29 PM, on 4/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\TRSVI.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\wp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\DLBKPSWX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Keri\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{8A1982C3-8041-D093-3C11-E38789564F26} - (no file)
R3 - URLSearchHook: (no name) - {8A1982C3-8041-D093-3C11-E38789564F26} - C:\WINDOWS\system32\TRSVI.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {73ADE25A-9F6A-448F-BD7E-DB705F4611B3} - C:\WINDOWS\System32\ioog.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\02bwp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKLM\..\Run: [EEDEC86E] C:\WINDOWS\system32\CLUIDS.exe
O4 - HKLM\..\Run: [BA460566] C:\WINDOWS\system32\PACKSIPC.exe
O4 - HKLM\..\Run: [F0949263] C:\WINDOWS\system32\ILTODIS.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [snmpapi] C:\WINDOWS\System32\snmpapi.exe
O4 - HKCU\..\Run: [fxsxp32] C:\WINDOWS\System32\fxsxp32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKCU\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKCU\..\Run: [EEDEC86E] C:\WINDOWS\system32\CLUIDS.exe
O4 - HKCU\..\Run: [BA460566] C:\WINDOWS\system32\PACKSIPC.exe
O4 - HKCU\..\Run: [F0949263] C:\WINDOWS\system32\ILTODIS.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://groundworm.bi...m::/simple3.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O18 - Filter: text/html - {C09816A6-E26A-4562-B846-0D114AA3CBDE} - C:\WINDOWS\System32\ioog.dll
O18 - Filter: text/plain - {C09816A6-E26A-4562-B846-0D114AA3CBDE} - C:\WINDOWS\System32\ioog.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#2
don77

Posted 30 April 2005 - 10:30 PM

Malware Expert

Retired Staff
18,526 posts

Hi kfinne and welcome to Geeks to Go !!

Oh boy where to start,,

Your going to need to be patient with this one you have many issues here, but we can get through it,,

Lets start with this,

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

wp.exe
Security iGuard.exe

Exit Task Manager.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

[*] Please create a new folder on C: drive and name it HJT, Move HJT into this new folder please

Post a new HiJackThis log.

#3
kfinne

Posted 01 May 2005 - 11:56 AM

New Member

Topic Starter
Member
9 posts

thanLogfile of HijackThis v1.99.1
Scan saved at 1:50:19 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\TRSVI.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Keri\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{8A1982C3-8041-D093-3C11-E38789564F26} - (no file)
R3 - URLSearchHook: (no name) - {8A1982C3-8041-D093-3C11-E38789564F26} - C:\WINDOWS\system32\TRSVI.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {73ADE25A-9F6A-448F-BD7E-DB705F4611B3} - C:\WINDOWS\System32\ioog.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\02bwp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKLM\..\Run: [EEDEC86E] C:\WINDOWS\system32\CLUIDS.exe
O4 - HKLM\..\Run: [BA460566] C:\WINDOWS\system32\PACKSIPC.exe
O4 - HKLM\..\Run: [F0949263] C:\WINDOWS\system32\ILTODIS.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [snmpapi] C:\WINDOWS\System32\snmpapi.exe
O4 - HKCU\..\Run: [fxsxp32] C:\WINDOWS\System32\fxsxp32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKCU\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKCU\..\Run: [EEDEC86E] C:\WINDOWS\system32\CLUIDS.exe
O4 - HKCU\..\Run: [BA460566] C:\WINDOWS\system32\PACKSIPC.exe
O4 - HKCU\..\Run: [F0949263] C:\WINDOWS\system32\ILTODIS.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://groundworm.bi...m::/simple3.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O18 - Filter: text/html - {C09816A6-E26A-4562-B846-0D114AA3CBDE} - C:\WINDOWS\System32\ioog.dll
O18 - Filter: text/plain - {C09816A6-E26A-4562-B846-0D114AA3CBDE} - C:\WINDOWS\System32\ioog.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

ks don77! i followed your instructions and here is my new log:

#4
don77

Posted 01 May 2005 - 06:11 PM

Malware Expert

Retired Staff
18,526 posts

Hi kfinne, I merged your new post to this original topic you started, Please just click the Add Reply and post here please,
I would have never seen that you posted back unless someone with a sharp eye noticed it :tazz:

Download SpSeHjfix into a folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix' and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

#5
kfinne

Posted 01 May 2005 - 07:31 PM

New Member

Topic Starter
Member
9 posts

hi don77. here are both logs
(5/1/05 9:21:53 PM) SPSeHjFix started v1.1.2
(5/1/05 9:21:53 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/1/05 9:21:53 PM) Language: english
(5/1/05 9:21:53 PM) Win-Path: C:\WINDOWS
(5/1/05 9:21:53 PM) System-Path: C:\WINDOWS\System32
(5/1/05 9:21:53 PM) Temp-Path: C:\DOCUME~1\Keri\LOCALS~1\Temp\
(5/1/05 9:22:00 PM) Disinfection started
(5/1/05 9:22:00 PM) Bad-Dll(IEP): c:\docume~1\keri\locals~1\temp\se.dll
(5/1/05 9:22:00 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\ioog.dll
(5/1/05 9:22:00 PM) Searchassistant Uninstaller - Keys Deleted
(5/1/05 9:22:01 PM) UBF: 9 - UBB: 7 - UBR: 37
(5/1/05 9:22:01 PM) FilterKey: HKCR\text/html (deleted)
(5/1/05 9:22:01 PM) FilterKey: HKCR\CLSID\{C09816A6-E26A-4562-B846-0D114AA3CBDE} (deleted)
(5/1/05 9:22:01 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/1/05 9:22:01 PM) FilterKey: HKCR\text/plain (deleted)
(5/1/05 9:22:01 PM) FilterKey: HKCR\CLSID\{C09816A6-E26A-4562-B846-0D114AA3CBDE} (error while deleting)
(5/1/05 9:22:01 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/1/05 9:22:01 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73ADE25A-9F6A-448F-BD7E-DB705F4611B3} (deleted)
(5/1/05 9:22:01 PM) BHO-Key: HKCR\CLSID\{73ADE25A-9F6A-448F-BD7E-DB705F4611B3} (deleted)
(5/1/05 9:22:01 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/1/05 9:22:01 PM) UBF: 7 - UBB: 6 - UBR: 36
(5/1/05 9:22:01 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\keri\locals~1\temp\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\keri\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/1/05 9:22:01 PM) Stealth-String not found
(5/1/05 9:22:01 PM) File added to delete: c:\windows\system32\ioog.dll
(5/1/05 9:22:01 PM) File added to delete: c:\docume~1\keri\locals~1\temp\se.dll
(5/1/05 9:22:01 PM) Reboot

(5/1/05 9:23:17 PM) SPSeHjFix started v1.1.2
(5/1/05 9:23:17 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/1/05 9:23:17 PM) Language: english
(5/1/05 9:23:17 PM) Win-Path: C:\WINDOWS
(5/1/05 9:23:17 PM) System-Path: C:\WINDOWS\System32
(5/1/05 9:23:17 PM) Temp-Path: C:\DOCUME~1\Keri\LOCALS~1\Temp\
(5/1/05 9:23:38 PM) Disinfection started
(5/1/05 9:23:38 PM) Bad-Dll(IEP): c:\docume~1\keri\locals~1\temp\se.dll
(5/1/05 9:23:38 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\ioog.dll
(5/1/05 9:23:38 PM) Searchassistant Uninstaller - Keys Deleted
(5/1/05 9:23:38 PM) UBF: 9 - UBB: 7 - UBR: 37
(5/1/05 9:23:38 PM) FilterKey: HKCR\text/html (deleted)
(5/1/05 9:23:38 PM) FilterKey: HKCR\CLSID\{F9A943A9-C9D4-4A02-82B6-1353DC97B642} (deleted)
(5/1/05 9:23:38 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/1/05 9:23:38 PM) FilterKey: HKCR\text/plain (deleted)
(5/1/05 9:23:38 PM) FilterKey: HKCR\CLSID\{F9A943A9-C9D4-4A02-82B6-1353DC97B642} (error while deleting)
(5/1/05 9:23:38 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/1/05 9:23:38 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47E6B956-41EC-4A5F-A436-6B70E900F88C} (deleted)
(5/1/05 9:23:38 PM) BHO-Key: HKCR\CLSID\{47E6B956-41EC-4A5F-A436-6B70E900F88C} (deleted)
(5/1/05 9:23:38 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Keri\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/1/05 9:23:38 PM) UBF: 7 - UBB: 6 - UBR: 36
(5/1/05 9:23:38 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\keri\locals~1\temp\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\keri\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/1/05 9:23:38 PM) Stealth-String not found
(5/1/05 9:23:38 PM) File added to delete: c:\windows\system32\ioog.dll
(5/1/05 9:23:38 PM) File added to delete: c:\docume~1\keri\locals~1\temp\se.dll
(5/1/05 9:23:38 PM) Reboot

(5/1/05 9:24:53 PM) SPSeHjFix started v1.1.2
(5/1/05 9:24:53 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/1/05 9:24:53 PM) Language: english
(5/1/05 9:24:53 PM) Win-Path: C:\WINDOWS
(5/1/05 9:24:53 PM) System-Path: C:\WINDOWS\System32
(5/1/05 9:24:53 PM) Temp-Path: C:\DOCUME~1\Keri\LOCALS~1\Temp\
Logfile of HijackThis v1.99.1
Scan saved at 9:28:55 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\TRSVI.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Keri\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{8A1982C3-8041-D093-3C11-E38789564F26} - (no file)
R3 - URLSearchHook: (no name) - {8A1982C3-8041-D093-3C11-E38789564F26} - C:\WINDOWS\system32\TRSVI.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\02bwp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKLM\..\Run: [EEDEC86E] C:\WINDOWS\system32\CLUIDS.exe
O4 - HKLM\..\Run: [BA460566] C:\WINDOWS\system32\PACKSIPC.exe
O4 - HKLM\..\Run: [F0949263] C:\WINDOWS\system32\ILTODIS.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [snmpapi] C:\WINDOWS\System32\snmpapi.exe
O4 - HKCU\..\Run: [fxsxp32] C:\WINDOWS\System32\fxsxp32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKCU\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKCU\..\Run: [EEDEC86E] C:\WINDOWS\system32\CLUIDS.exe
O4 - HKCU\..\Run: [BA460566] C:\WINDOWS\system32\PACKSIPC.exe
O4 - HKCU\..\Run: [F0949263] C:\WINDOWS\system32\ILTODIS.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://groundworm.bi...m::/simple3.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#6
don77

Posted 02 May 2005 - 07:43 PM

Malware Expert

Retired Staff
18,526 posts

Looks better still quite a bit to go here,,
First.
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT
Move HJT into this new folder please,

Next,
Please download ewido security suite it is a trial version of the program.

Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop

Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

#7
kfinne

Posted 03 May 2005 - 08:31 AM

New Member

Topic Starter
Member
9 posts

hi don77
hope i---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:24:08 AM, 5/3/2005
+ Report-Checksum: 206C588C

+ Date of database: 5/3/2005
+ Version of scan engine: v3.0

+ Duration: 104 min
+ Scanned Files: 116830
+ Speed: 18.63 Files/Second
+ Infected files: 68
+ Removed files: 68
+ Files put in quarantine: 68
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\CJAFYFER\$file[1] -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\QHSVKFQP\$file[1] -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\I386\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\I386\system@tryaolfree[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\r.exe -> TrojanDropper.Small.uy -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000001.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0007159.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0007168.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0008158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0008162.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0009159.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0009182.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0010182.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0010195.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0011195.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011197.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011209.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011217.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011336.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011346.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0012346.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0012364.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0012365.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0013360.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0013363.exe -> TrojanProxy.Agent.cx -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0014355.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0014362.exe -> Trojan.Agent.x -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000002.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001006.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002007.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002141.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002146.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0003164.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0006158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0006159.dll -> TrojanDownloader.Agent.kf -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0007158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\WINDOWS\Buddy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\02bwp.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\51ea.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\a67.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CLUIDS.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tryaolfree[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ILTODIS.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\olexp.exe -> TrojanProxy.Agent.cx -> Cleaned with backup
C:\WINDOWS\SYSTEM32\PACKSIPC.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\spoolsrv32.exe -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\srdrv32.dll -> TrojanDownloader.Small.aoa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\t38vm0.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wldr.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__srvc32.dll -> TrojanDownloader.Small.aoa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__srvc32.exe -> TrojanDownloader.Small.aoa -> Cleaned with backup

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:24:08 AM, 5/3/2005
+ Report-Checksum: 206C588C

+ Date of database: 5/3/2005
+ Version of scan engine: v3.0

+ Duration: 104 min
+ Scanned Files: 116830
+ Speed: 18.63 Files/Second
+ Infected files: 68
+ Removed files: 68
+ Files put in quarantine: 68
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\CJAFYFER\$file[1] -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\QHSVKFQP\$file[1] -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\I386\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\I386\system@tryaolfree[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\r.exe -> TrojanDropper.Small.uy -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000001.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0007159.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0007168.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0008158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0008162.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0009159.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0009182.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0010182.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0010195.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0011195.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011197.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011209.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011217.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011336.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011346.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0012346.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0012364.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0012365.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0013360.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0013363.exe -> TrojanProxy.Agent.cx -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0014355.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0014362.exe -> Trojan.Agent.x -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000002.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001006.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002007.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002141.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002146.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0003164.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0006158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0006159.dll -> TrojanDownloader.Agent.kf -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0007158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\WINDOWS\Buddy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\02bwp.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\51ea.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\a67.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CLUIDS.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tryaolfree[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ILTODIS.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\olexp.exe -> TrojanProxy.Agent.cx -> Cleaned with backup
C:\WINDOWS\SYSTEM32\PACKSIPC.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\spoolsrv32.exe -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\srdrv32.dll -> TrojanDownloader.Small.aoa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\t38vm0.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wldr.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__srvc32.dll -> TrojanDownloader.Small.aoa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__srvc32.exe -> TrojanDownloader.Small.aoa -> Cleaned with backup

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:24:08 AM, 5/3/2005
+ Report-Checksum: 206C588C

+ Date of database: 5/3/2005
+ Version of scan engine: v3.0

+ Duration: 104 min
+ Scanned Files: 116830
+ Speed: 18.63 Files/Second
+ Infected files: 68
+ Removed files: 68
+ Files put in quarantine: 68
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Cookies\keri@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\CJAFYFER\$file[1] -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\QHSVKFQP\$file[1] -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\I386\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\I386\system@tryaolfree[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\r.exe -> TrojanDropper.Small.uy -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000001.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0007159.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0007168.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0008158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0008162.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0009159.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0009182.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0010182.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0010195.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0011195.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011197.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011209.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011217.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011336.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0011346.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0012346.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0012364.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0012365.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0013360.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0013363.exe -> TrojanProxy.Agent.cx -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0014355.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0014362.exe -> Trojan.Agent.x -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000002.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001006.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002007.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002141.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002146.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0003164.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0006158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0006159.dll -> TrojanDownloader.Agent.kf -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0007158.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
C:\WINDOWS\Buddy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\02bwp.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\51ea.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\a67.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CLUIDS.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tryaolfree[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ILTODIS.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\olexp.exe -> TrojanProxy.Agent.cx -> Cleaned with backup
C:\WINDOWS\SYSTEM32\PACKSIPC.exe -> Trojan.Agent.x -> Cleaned with backup
C:\WINDOWS\SYSTEM32\spoolsrv32.exe -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\srdrv32.dll -> TrojanDownloader.Small.aoa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\t38vm0.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wldr.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__srvc32.dll -> TrojanDownloader.Small.aoa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__srvc32.exe -> TrojanDownloader.Small.aoa -> Cleaned with backup

::Report End
::Report End
::Report End did this right. look foward to hearing from you. thanks

#8
kfinne

Posted 03 May 2005 - 08:34 AM

New Member

Topic Starter
Member
9 posts

here's myLogfile of HijackThis v1.99.1
Scan saved at 10:25:36 AM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Keri\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{8A1982C3-8041-D093-3C11-E38789564F26} - (no file)
R3 - URLSearchHook: (no name) - {8A1982C3-8041-D093-3C11-E38789564F26} - C:\WINDOWS\system32\CLUIDS.exe (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\02bwp.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\Run: [snmpapi] C:\WINDOWS\System32\snmpapi.exe
O4 - HKCU\..\Run: [fxsxp32] C:\WINDOWS\System32\fxsxp32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKCU\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://groundworm.bi...m::/simple3.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

HJT log. Didn't know how to post both together

#9
don77

Posted 03 May 2005 - 07:09 PM

Malware Expert

Retired Staff
18,526 posts

Hi kfinne

HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it will be lost. Please create a new folder for it and place the program into that new folder.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt
Move HJT into it please
Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.
Check CWShredder for updates, Now click on the "Fix" button.
Please set your system to show
all files; please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{8A1982C3-8041-D093-3C11-E38789564F26} - (no file)
R3 - URLSearchHook: (no name) - {8A1982C3-8041-D093-3C11-E38789564F26} - C:\WINDOWS\system32\CLUIDS.exe (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\02bwp.dll (file missing)
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\Run: [snmpapi] C:\WINDOWS\System32\snmpapi.exe
O4 - HKCU\..\Run: [fxsxp32] C:\WINDOWS\System32\fxsxp32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKCU\..\Run: [AD9B51CB] C:\WINDOWS\system32\TRSVI.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [hcxcz2t.exe] C:\WINDOWS\System32\hcxcz2t.exe /k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {145F286A-92AF-440B-AFEA-89F8ACDE4C14} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D417F6F-9586-4647-8253-EED86CEE2ED1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EE4E079-0A70-4640-9E69-3C18D658675C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D13727-034C-4FBA-A7A4-DC73332BC76C} - (no file) (HKCU)
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://groundworm.bi...m::/simple3.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\xpsp2fw.exe
C:\Program Files\Security iGuard\
C:\WINDOWS\System32\hcxcz2t.exe
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\snmpapi.exe
C:\WINDOWS\System32\fxsxp32.exe
C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\system32\I32API.exe
C:\WINDOWS\system32\TRSVI.exe
c:\wp.exe
C:\Program Files\Ebates_MoeMoneyMaker\
C:\WINDOWS\System32\cmdtel.exe
Exit Explorer, and reboot as normal afterwards.
Open kill box
In the killbox program, select the Delete on Reboot option.
In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the [b]YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

Post back a fresh HijackThis log and we will take another look.

#10
kfinne

Posted 03 May 2005 - 09:44 PM

New Member

Topic Starter
Member
9 posts

hi don77
i followed your instructions. most of the files you told me to delete using windows explorLogfile of HijackThis v1.99.1
Scan saved at 11:38:59 PM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

er weren't there. so i did the best i could. hope it looks OK.

#11
don77

Posted 03 May 2005 - 10:05 PM

Malware Expert

Retired Staff
18,526 posts

Looks much better !!! Lets see if we can get the last few here,

Please set your system to show
all files; please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [A072578E] C:\WINDOWS\system32\I32API.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\I32API.exe
C:\WINDOWS\System32\cmdtel.exe
Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.

#12
kfinne

Posted 04 May 2005 - 08:26 AM

New Member

Topic Starter
Member
9 posts

don77
i checked off the 3 items in hJT. but i cannot find the 2 files you want me to delete in windowsLogfile of HijackThis v1.99.1
Scan saved at 10:22:25 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

explorer. they aren't there. here's my new log

#13
don77

Posted 04 May 2005 - 05:56 PM

Malware Expert

Retired Staff
18,526 posts

Amost there,

Go to Start->Run and type in services.msc and hit OK. Then look for Loading Outpost Connections (KDE) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Now open HJT, Put a check mark next to the following, Close all open windows leaving only HJT open, Click the "Fix checked" button,

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)

Reboot and post back a fresh LOG please

#14
kfinne

Posted 05 May 2005 - 07:13 AM

New Member

Topic Starter
Member
9 posts

Hi don77. here's my new log. the file you told me to check off in HJT wasn't there but here's thLogfile of HijackThis v1.99.1
Scan saved at 9:09:24 AM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Keri\Local Settings\Temporary Internet Files\Content.IE5\OPSTSF6R\aiepk2[2].exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

e log anyway

#15
don77

Posted 05 May 2005 - 05:51 PM

Malware Expert

Retired Staff
18,526 posts

One last thing if your using this program 'Another IE Popup Killer' You should move it out of the temp folder you have it in,

Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,