Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

need help with lots of spyware and malware [CLOSED]

Started by Ar'tenen , Jul 28 2005 07:34 PM

  • This topic is locked This topic is locked

#1
Ar'tenen
Posted 28 July 2005 - 07:34 PM

Ar'tenen

    Member

  • Member
  • PipPip
  • 11 posts
I have gone through your 'must read before posting a hijackthis log' thread and done everything on there. I still have many problems and need some help. I have cleaned several computers of spy/malware before, but it has been a while and I'm needing some guidance. thanks!

Logfile of HijackThis v1.99.1
Scan saved at 6:33:07 PM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\smdnes.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\intell32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\MikeS\wfcj.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20056\services.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mfcgh.exe] C:\WINDOWS\system32\mfcgh.exe
O4 - HKLM\..\Run: [Hnc] C:\WINDOWS\System32\Reg.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Skf.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Kej] C:\WINDOWS\system32\Odd.exe
O4 - HKLM\..\Run: [Etv] C:\WINDOWS\Ngc.exe
O4 - HKLM\..\Run: [kpiajje] c:\windows\system32\smdnes.exe r
O4 - HKCU\..\Run: [Hnc] C:\WINDOWS\System32\Reg.exe
O4 - HKCU\..\Run: [jjxyqhw] c:\windows\woldesf.exe
O4 - HKCU\..\Run: [gmeyako] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [aomiphb] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [avsyjmf] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [mubrqhp] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [rfhjlix] c:\windows\ykcilbs.exe
O4 - HKCU\..\Run: [ibvbkwi] c:\windows\oocyyut.exe
O4 - HKCU\..\Run: [lpgjwff] c:\windows\jfwatmb.exe
O4 - HKCU\..\Run: [wfcj] C:\Documents and Settings\MikeS\wfcj.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Skf.exe
O4 - HKCU\..\Run: [wogilp] C:\Documents and Settings\MikeS\Desktop\wogilp.exe
O4 - HKCU\..\Run: [wamep] C:\Documents and Settings\MikeS\Desktop\wamep.exe
O4 - HKCU\..\Run: [wrwseabcl] C:\Documents and Settings\MikeS\Desktop\wrwseabcl.exe
O4 - HKCU\..\Run: [Kej] C:\WINDOWS\system32\Odd.exe
O4 - HKCU\..\Run: [Etv] C:\WINDOWS\Ngc.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7BAB9769-B6A2-4FCF-95F6-CE060E607744} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BAB9769-B6A2-4FCF-95F6-CE060E607744} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FDAF3DF9-9692-4964-8E62-51574A92A743} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FDAF3DF9-9692-4964-8E62-51574A92A743} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122078761937
O20 - AppInit_DLLs: fhook.dll
O21 - SSODL: NTDBGTOOL - {F01A8674-285F-4C18-A1DB-C007E32D6B55} - C:\WINDOWS\System32\wlnobdbe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements

#2
Justin
Posted 29 July 2005 - 01:30 AM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello, welcome to the GeekstoGo Forums!

My name is Justin, and I will be helping you clean up your system. Lets get started!

Please print out a copy of these directions so that you may easily reference them during the fix[/color]

You have some nasty infections. Before we can get started we need to do a few things.

Step 1 - Disabling Microsoft Anti Spyware
We need to disable Microsoft Anti Spyware before we can continue.Open Microsoft AntiSpyware.
Click on Tools, Settings.
[In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware
Step 2 - Upload a file to a Helper

You have a file that recently started showing up on systems. If you do not mind, I would like you to submit it to a Helper here at Geekstogo.com. Please email the following file to Atri at [email protected]

C:\WINDOWS\dsr.dll


If possible please zip the file before sending it.

Step 3 - Downloads

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download CWShredder here to its own folder.

Download PSGuardFix

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Step 4 - Safe Mode

Boot into Safe Mode by following the below directions
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Service: Loading Outpost Connections (KDE)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

KDE

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Next, please reboot your computer again in SafeMode.

Step 5 - Nail Fix

Please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal

Step 6 - CWShredder and HiJackThis

Run CWShredder

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20056\services.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [mfcgh.exe] C:\WINDOWS\system32\mfcgh.exe
O4 - HKLM\..\Run: [Hnc] C:\WINDOWS\System32\Reg.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Skf.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Kej] C:\WINDOWS\system32\Odd.exe
O4 - HKLM\..\Run: [Etv] C:\WINDOWS\Ngc.exe
O4 - HKLM\..\Run: [kpiajje] c:\windows\system32\smdnes.exe r
O4 - HKCU\..\Run: [Hnc] C:\WINDOWS\System32\Reg.exe
O4 - HKCU\..\Run: [jjxyqhw] c:\windows\woldesf.exe
O4 - HKCU\..\Run: [gmeyako] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [aomiphb] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [avsyjmf] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [mubrqhp] c:\windows\tbmupnb.exe
O4 - HKCU\..\Run: [rfhjlix] c:\windows\ykcilbs.exe
O4 - HKCU\..\Run: [ibvbkwi] c:\windows\oocyyut.exe
O4 - HKCU\..\Run: [lpgjwff] c:\windows\jfwatmb.exe
O4 - HKCU\..\Run: [wfcj] C:\Documents and Settings\MikeS\wfcj.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Skf.exe
O4 - HKCU\..\Run: [wogilp] C:\Documents and Settings\MikeS\Desktop\wogilp.exe
O4 - HKCU\..\Run: [wamep] C:\Documents and Settings\MikeS\Desktop\wamep.exe
O4 - HKCU\..\Run: [wrwseabcl] C:\Documents and Settings\MikeS\Desktop\wrwseabcl.exe
O4 - HKCU\..\Run: [Kej] C:\WINDOWS\system32\Odd.exe
O4 - HKCU\..\Run: [Etv] C:\WINDOWS\Ngc.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7BAB9769-B6A2-4FCF-95F6-CE060E607744} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BAB9769-B6A2-4FCF-95F6-CE060E607744} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FDAF3DF9-9692-4964-8E62-51574A92A743} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FDAF3DF9-9692-4964-8E62-51574A92A743} - (no file) (HKCU)
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
===================================================

Step 7 - SmitRem

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Step 8 - PSGuard Fix

Please double click on PSGuardFix.exe and run it.

Step 9 - AdAware Scan

Open Ad-aware and do a full scan. Remove all it finds.

Step 10 - Ewido Scan

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido


Step 11 - Take Back Your Desktop!

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Step 12 - Cleaning Up

Next, open Windows Explorer. The easiest way to do this is:Click Start
Select Run
Type in Explorer
While in Windows Explorer, please delete the following Files, if they are found. Please note thay you may not find the files, please let me know if you do not find them.

C:\WINDOWS\Nail.exe
C:\WINDOWS\inet20056\services.exe
C:\WINDOWS\system32\mfcgh.exe
C:\WINDOWS\System32\Reg.exe
C:\WINDOWS\Skf.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\system32\intell32.exe
C:\WINDOWS\system32\Odd.exe
C:\WINDOWS\Ngc.exe
c:\windows\system32\smdnes.exe r
c:\windows\woldesf.exe
c:\windows\tbmupnb.exe
c:\windows\ykcilbs.exe
c:\windows\oocyyut.exe
c:\windows\jfwatmb.exe
C:\Documents and Settings\MikeS\wfcj.exe
C:\Documents and Settings\MikeS\Desktop\wogilp.exe
C:\Documents and Settings\MikeS\Desktop\wamep.exe
C:\Documents and Settings\MikeS\Desktop\wrwseabcl.exe
C:\WINDOWS\System32\cmdtel.exe (file missing)


In Windows Exploer, please delete the following Folders, if they are found.

c:\Program Files\DiallerProgram

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
  • 0

#3
Ar'tenen
Posted 29 July 2005 - 05:30 PM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
First off...thank you so much for helping me out.

now to the issues i encountered following your instruction...

step 1. I disabled MS anti-spyware like you said but it still has reloaded every time I've rebooted.

step 12. Almost all of those files were not found. Here are the ones I found and deleted:
C:\WINDOWS\System32\Reg.exe
C:\WINDOWS\dinst.exe
C:\Documents and Settings\MikeS\wfcj.exe
The C:\Program Files\DiallerProgram directory was not there either.

There are still several things going on. I did reboot a couple times before I ran this new HJT log. Here are the logs (HJT, SmitRem, Ewido, Panda):

Logfile of HijackThis v1.99.1
Scan saved at 4:25:58 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\qdlkjom.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [loxxcu] c:\windows\system32\qdlkjom.exe r
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122078761937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - AppInit_DLLs: fhook.dll
O21 - SSODL: NTDBGTOOL - {F01A8674-285F-4C18-A1DB-C007E32D6B55} - C:\WINDOWS\System32\wlnobdbe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


smitRem log file
version 2.2

by noahdfear

The current date is: Fri 07/29/2005
The current time is: 11:28:03.06

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover


~~~ Favorites ~~~



~~~ system32 folder ~~~

intell32.exe


~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ dllcache\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~


~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~


~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~


~~~~ KB883939\SP2QFE\wininet.dll Present! ~~~~


~~~~ Checking KB883939\SP2QFE\wininet.dll for infection ~~~~


~~~~ KB883939\SP2QFE Clean! ~~~~

~~~ Replaced wininet.dll from KB883939\SP2QFE ~~~


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:39:26 PM, 7/29/2005
+ Report-Checksum: BEBCB968

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{03D3AD2F-C841-443F-8A21-A7D2A62B6626} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{563E5DF0-2C1C-4513-BBF5-D380536BB8FC} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{67355A47-1544-4905-B698-4D7E5B62EC32} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{69A4F9FF-E915-11D5-A9F1-009099104002} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6D6DDF37-B491-49D3-8733-600FA16940A0} -> Spyware.Wonderland : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8CDC6A46-08AB-435B-A3FA-7CC00E74EC9F} -> Spyware.PerMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8DCE908E-9E35-11D3-9431-009099104002} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{91DF007C-2F7F-4731-BE1F-38C1C13CEB8B} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96B01A48-1317-4A87-91F7-10116F755705} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9CF7345D-CE2A-4C32-9D4D-BBEEF8A7257B} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9E7138EE-4E7B-11D5-94EF-006008A4ED7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F2C17AC-9AA4-4C3A-82C7-EA7BCF00F03D} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AB4DD0F0-38DA-4F48-AAFE-7DE7323BB6B2} -> Spyware.ClickTheButton : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B2C03E2E-2219-4FF9-810A-540ACA63F8D9} -> Spyware.MarketScore : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CA7CCB52-6922-47E5-B784-3A3F82C51863} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DD770A75-CE18-11D5-98D8-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EC788B03-A743-4274-AC9E-DB4F2A03F515} -> Spyware.SearchAndBrowse : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} -> Spyware.FreeScratchCards : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F332D106-2EF3-45C4-BAF2-0F739D76B26A} -> Dialer.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0269420-A638-4509-889C-8FC3CC85DA7E} -> Dialer.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B72F75B8-93F3-429D-B13E-660B206D897A} -> Spyware.Hijacker.Generic : Cleaned with backup
HKU\S-1-5-21-2857422465-4036164967-2552189465-1005\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2857422465-4036164967-2552189465-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-2857422465-4036164967-2552189465-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-2857422465-4036164967-2552189465-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2857422465-4036164967-2552189465-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0269420-A638-4509-889C-8FC3CC85DA7E} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-2857422465-4036164967-2552189465-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B72F75B8-93F3-429D-B13E-660B206D897A} -> Spyware.Hijacker.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0269420-A638-4509-889C-8FC3CC85DA7E} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B72F75B8-93F3-429D-B13E-660B206D897A} -> Spyware.Hijacker.Generic : Cleaned with backup
[892] c:\windows\system32\uzhcsip.exe -> Adware.BetterInternet : Cleaned with backup
[1272] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Cleaned with backup
C:\Documents and Settings\MikeS\Cookies\mikes@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050729-112622-849.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Aie.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Aru.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Asc.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Bpe.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Cgi.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Chj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Cqu.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Cuj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Dgf.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Djd.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Dsq.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\Edl.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Eff.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Fad.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Fdb.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Fip.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Foe.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Frp.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Fso.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Gan.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Gmu.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Gqc.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Gsi.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Ief.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\inet20056\3.00.06.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\Ipu.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\Jit.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Jja.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Jjn.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Jnc.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\js128k.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\Khr.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Kkj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Kqj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Ksv.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Ktg.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\kubzhc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Loh.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Mkq.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\mmm1.exe -> TrojanSpy.Delf.ig : Cleaned with backup
C:\WINDOWS\mmm4.exe -> TrojanSpy.Delf.ig : Cleaned with backup
C:\WINDOWS\Ndm.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Nhr.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Nmu.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Occ.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Omc.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Par.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Pcb.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Ppj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Qcf.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Qgs.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Rec.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Rgj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Roi.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Rvn.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\sasetup.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Sbm.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Sfq.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\skiller.exe -> Trojan.Small.ei : Cleaned with backup
C:\WINDOWS\Stj.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\uzhcsip.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Tlo.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Vca.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Vfs.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Vqf.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Vse.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\Vvh.html -> Spyware.Spywad : Cleaned with backup


::Report End



Incident Status Location

Adware:adware/aurora No disinfected C:\WINDOWS\SYSTEM32\DrPMon.dll
Adware:adware/dloader No disinfected C:\WINDOWS\SYSTEM32\msblank.html
Adware:adware/findspy No disinfected C:\DOCUMENTS AND SETTINGS\MIKES\FAVORITES\ Free Hidden Cams World - Realtime.url
Adware:adware/cws.yexe No disinfected C:\messanger.ini
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Adware:adware/azesearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\BEST SEARCH ENGINE!!!
Adware:adware/mediatickets No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0\PPCIMDNNNJBEAHEPFABJIPFGINLOEDKG EGCKAK
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
Virus:Trj/Listener.A Disinfected C:\WINDOWS\mmm.exe
Virus:Trj/Dropper.DV Disinfected C:\WINDOWS\system32\open32_uninstall.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\system32\pelodsxh.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.old
  • 0

#4
Justin
Posted 29 July 2005 - 06:33 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hi There!

Download Process Explorer from HERE

Run Process Explorer and find the following process in the list of Processes:

qdlkjom.exe

Select the process and click Process > Suspend.

Leave Process Explorer running with the process suspended the whole time! Do NOT close it - even when your system is rebooting!

Then run HijackThis. Click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\qdlkjom.exe
When prompted if you want to reboot click YES

After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [loxxcu] c:\windows\system32\qdlkjom.exe r

Rescan with HiJackThis and post the new log.

Edited by Jfcap, 29 July 2005 - 08:52 PM.

  • 0

#5
Ar'tenen
Posted 02 August 2005 - 01:39 PM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
followed your instructions...rebooted before the last hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 12:07:50 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122078761937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - AppInit_DLLs: fhook.dll
O21 - SSODL: NTDBGTOOL - {F01A8674-285F-4C18-A1DB-C007E32D6B55} - C:\WINDOWS\System32\wlnobdbe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#6
Justin
Posted 02 August 2005 - 01:55 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
]

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O20 - AppInit_DLLs: fhook.dll

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now using Windows Explorer find and remove the following folders/files
C:\WINDOWS\Nail.exe <-- File

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply
  • 0

#7
Ar'tenen
Posted 02 August 2005 - 04:55 PM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok, followed all that. here is the latest HJT log and ewido log. thanks again for all this...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:40:59 PM, 8/2/2005
+ Report-Checksum: 28F63DAB

+ Scan result:

C:\Documents and Settings\MikeS\Cookies\mikes@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\MikeS\Cookies\mikes@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-2857422465-4036164967-2552189465-1005\Dc2.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\kubzhc.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:49:59 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122078761937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: NTDBGTOOL - {F01A8674-285F-4C18-A1DB-C007E32D6B55} - C:\WINDOWS\System32\wlnobdbe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • 0

#8
Justin
Posted 02 August 2005 - 05:56 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello! We cleared a lot of stuff, and that is good. Lets clear the rest of it up!

Right click Here and select Save As to download WinHelp2002's DelDomains.inf.

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. We will use this file later when we are in safemode.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.


Once in Safemode:

Right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

Please run Killbox.exe

Select "Delete on Reboot".

Copy the below line:

c:\Program Files\DiallerProgram


Back in Killbox, paste the line where it says Full Path of File to Delete

Next, place a checkmark next to DelTree (Include SubDirectories)

Then, click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Let the system reboot.

Then post a new HiJackThis log for me to look at.
  • 0

#9
Ar'tenen
Posted 02 August 2005 - 06:31 PM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
here's the new HJT log, Justin:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:24 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122078761937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: NTDBGTOOL - {F01A8674-285F-4C18-A1DB-C007E32D6B55} - C:\WINDOWS\System32\wlnobdbe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • 0

#10
Justin
Posted 02 August 2005 - 07:06 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Please find this folder:
c:\Program Files\DiallerProgram

And zip it up. I need you to email a zipped version of this file to the email address below. Tell him that you are emailing it per my request, and include the title of this topic.

Email the folder to:

[email protected]

:tazz:
  • 0

Advertisements

#11
Ar'tenen
Posted 02 August 2005 - 07:32 PM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I cannot find that directory in Program Files or anywhere else. I even searched for that 030925[1].exe file referred to in the HJT log, but cannot find it either. Something is still definitely going on though...my firewall gets hijacked every reboot.

Let me know what else :tazz:
  • 0

#12
Justin
Posted 02 August 2005 - 08:02 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Make sure that you have all files showing.

Open windows explorer
click tools
click folder options
select the view tab
select show all files and folders.

Then look for the folder, and send it if you find it.

Tell me if you find it or not.
  • 0

#13
Ar'tenen
Posted 03 August 2005 - 11:45 AM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I always keep all files set to show. Double-checked it to make sure. Still no directory. :tazz:
  • 0

#14
Justin
Posted 03 August 2005 - 12:09 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello.

Please shut off Microsoft Anti Spyware.

Open HiJackThis and rescan your computer. Place a check next to the following:

O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r


Then close all windows and programs and press Fix Checked

Reboot your computer and then post a new HiJackThis log.
  • 0

#15
Ar'tenen
Posted 03 August 2005 - 12:37 PM

Ar'tenen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I shut off the MS Anti-Spyware, but it always starts back up even though I have everything in it turned off. I even tried to uninstall it, but it still loaded a running process every reboot. I re-installed it to see if I could just turn off all the settings, but haven't done anything else with it...just left it there for now. Should I try to uninstall it again to get it out of our way?

I fix-checked the diallerprogram, but it comes back. here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:32:37 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Live Sex Show] c:\Program Files\DiallerProgram\030925[1].exe -r
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122078761937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: NTDBGTOOL - {F01A8674-285F-4C18-A1DB-C007E32D6B55} - C:\WINDOWS\System32\wlnobdbe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP