Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another victim of WinFixer 2005 [RESOLVED]


  • This topic is locked This topic is locked

#1
Patricia_432

Patricia_432

    Member

  • Member
  • PipPip
  • 19 posts
Hi Expert,

I got WinFixer 2005 on my desktop. Please help. The following is my log:
I appreciate your help.
Patricia

Logfile of HijackThis v1.99.1
Scan saved at 8:03:41 AM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\ggviewer81-39.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wang\Local Settings\Temporary Internet Files\Content.IE5\U5CZEX6Z\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://office.micros...ainCatalog.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dai.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.williamoneil.com;*.dailygraphs.com;www.investors.com;198.190.229.*;172.22.*.*;netdai.com;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

/StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program

Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) -

http://www.dailygrap.../WonSearchX.ocx
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) -

http://www.errorguar...ion/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) -

http://www.webster.c.../webinstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupd...b?1099505347117
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) -

http://www.dailygrap...ocx/WonList.ocx
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) -

http://www.investors...ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) -

http://www.dailygrap.../ocx/PFMngr.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dai.netdai.com
O17 - HKLM\Software\..\Telephony: DomainName = dai.netdai.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dai.netdai.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft

Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network

Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Intuit, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Patricia_432

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Now run option 2
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. ;)

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Kc :tazz:
  • 0

#3
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kc,

Thanks for help. This is the log from L2MFix:
Patricia


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{94F4F3E5-E7DD-4AD7-9175-286D18ED2D1C}"=""
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{226b64e8-dc75-4eea-a6c8-abcb4d1d37ff}"="Dave's Quick Search Deskbar"
"{DCA04635-8950-48D5-8404-35A5ADCE3E3B}"="Google Deskbar"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FEC01208-4AA9-47CD-93B6-9EF0D2AB2954}"=""
"{B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D}"="Merriam-Webster Online"
"{5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624}"="Merriam-Webster Online BHO"
"{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"="EditPlus Context Menu Handler"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gwfspi~1.dll Wed Aug 3 2005 10:33:38a A.... 23,304 22.76 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
legitc~1.dll Wed Aug 3 2005 10:33:42a A.... 520,456 508.26 K
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
xpsp3res.dll Mon May 16 2005 5:25:36p ..... 15,360 15.00 K

11 items found: 11 files, 0 directories.
Total of file sizes: 1,562,264 bytes 1.49 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is F4E4-DB4D

Directory of C:\WINDOWS\System32

05/05/2005 06:53 AM <DIR> DLLCACHE
06/03/2004 12:06 PM <DIR> Microsoft
04/05/2001 10:43 AM 94,208 msstkprp.dll
1 File(s) 94,208 bytes
2 Dir(s) 55,436,890,112 bytes free
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Patricia_432

Please read my last post and complete what was asked

Kc :tazz:
  • 0

#5
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kc,

Thanks for your reply.

I did option #2, and my Pc restarted. I waited about more than 30 mins, it seems still running. I'll run it again, how long I have to wait? 30 mins is normal?

Thanks,
Patricia.
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Patricia_432

I did option #2, and my Pc restarted. I waited about more than 30 mins, it seems still running. I'll run it again, how long I have to wait? 30 mins is normal?

This is not normal ?

Please post a new HJT.log

Kc :tazz:
  • 0

#7
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kc,

Here is the new HJT log:
Thanks,
Patricia


Logfile of HijackThis v1.99.1
Scan saved at 9:16:32 AM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\ggviewer81-39.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wang\Local Settings\Temporary Internet Files\Content.IE5\U5CZEX6Z\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://office.micros...ainCatalog.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dai.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.williamoneil.com;*.dailygraphs.com;www.investors.com;198.190.229.*;172.22.*.*;netdai.com;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wang\Desktop\l2mfix\second.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.dailygrap.../WonSearchX.ocx
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.webster.c.../webinstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099505347117
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.dailygrap...ocx/WonList.ocx
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors...ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.dailygrap.../ocx/PFMngr.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dai.netdai.com
O17 - HKLM\Software\..\Telephony: DomainName = dai.netdai.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dai.netdai.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Intuit, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Patricia_432

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an check in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://office.micros...ainCatalog.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dai.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.williamoneil.com;*.dailygraphs.com;www.investors.com;198.190.229.*;172.22.*.*;netdai.com;<local>
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab

Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let it remove all it finds

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Ebates_MoeMoneyMaker
Exit Explorer.Reboot as normal.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)
C:\WINDOWS\dinst.exe

Let the system reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#9
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kc,

I followed your instructions. The following files are not existed:

/*
Run Ad-aware se let it remove all it finds

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Ebates_MoeMoneyMaker NOT EXIST!
Exit Explorer.Reboot as normal.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

NOTHING COMES OUT!

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)
C:\WINDOWS\dinst.exe

NOT EXIST!

*/

Now I'm running panda. I'll post the log when it's done. but since I have installed so many antivirus software, my system starts up very slow and still launching up the l2mfix console window and WinFixer download window(This is the one that I ask help for). I want clean up them also.

Thanks,
Patricia
  • 0

#10
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kc,

I post last ActiveScan and HijiackThis logs here. Thanks, Patricia

This is the ActiveScan log:

Incident Status Location

Adware:adware/topmoxie No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\01251FB9-C40C-4CEE-843B-72F29E\04746556-D77C-4471-8231-98218E
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\02DE6E8E-4BFC-4335-AE43-964B29\BE612A12-BDA4-4781-977B-E174AB
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\05B8D744-B31D-4BBE-A70D-C4CA20\079F38C0-B996-4BE2-A557-172B26
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\0B5AD211-1B62-4643-AD42-FEA6B8\B3F8DB5A-313D-480D-A698-A3552A
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\0D4B4AD1-FB24-48A2-A516-24CF2D\1CC93B01-A5AA-4A7F-8534-0FA39D
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\101C238F-ADA3-4BD3-AFD9-EA6534\7510F703-D10F-4D18-8C43-6CA76E
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1759D99D-4DC1-44E2-813B-43866D\E6FA8025-9E19-4A8B-9444-B0BD0F
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1A07BDDB-3062-4ED6-BED0-235EDB\40077D09-7606-41A7-A3CD-E8A9DB
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1B775F8B-AB8E-4E2B-83F8-56A291\8275C57C-1516-4D46-A3B4-443282
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1DCD3838-D884-4E39-B741-C21079\2DF52B2B-382E-4B29-A800-FF4090
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\274980F0-1B4B-4DC4-A7D7-7428AA\43CE4F86-1BBC-451A-83FA-EC138C
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2B3033B1-CE3C-4D10-A5A4-56C9C9\950F8A9A-9287-4968-B7BE-4F123D
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2EEC6065-66B0-4C6E-81E2-74E3E6\5738F4EC-3FC6-4863-99FE-F46211
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\387B4966-CDA1-475F-8118-E7F03C\F2BE669D-21FB-4631-83E5-246FEE
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3A82127C-A595-417D-856D-E11782\4801D189-49F9-4A03-BD99-FC005B
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E1728A1-D5D2-4C18-9AA6-35962F\9E9639FB-307F-4573-9F9E-62FFA6
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\40315AC2-25B6-475E-87E7-663E08\BD13655F-02A5-4F61-9519-0A0122
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\48D77D4F-1445-4CCF-AF04-DD597D\CF33E230-5745-4C16-A78E-37BA41
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\490C7F11-25D1-46B1-A0C3-9483F2\11031A14-3EC6-4F19-BDFC-E2DF87
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4AD5E053-B990-4274-B058-1CC327\EF6E3F56-4F58-439C-8B95-82906C
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4C4B479C-660B-4244-9DBA-114485\846EE5AD-663F-4BE2-8938-74FE7D
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4DC6F385-AD8C-430E-AE5F-043F23\802F29D0-3D39-43C2-BB52-3637F0
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\50BF615A-59B6-44B4-9647-283C92\E168351D-0337-4C92-836E-7740BF
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\53719D1F-5C19-42BB-B663-235572\2EDF8E4A-0711-464C-ACF0-94FAC4
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\5A31166F-C362-44CB-B1A9-43EF06\DE0B1D65-C968-4C55-AE4F-8B92FC
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\5A8F6F51-991B-4CFD-AC15-2FD71A\DFDCA6DC-DD3A-4145-A78F-AB1EF8
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\5E9BD353-0626-4AAE-8DEB-8E1AE5\DF0F0FF1-1790-4914-AC53-21D489
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\62D0AEB5-37B5-4B94-8D2E-B7F30F\F14B8F42-FAB9-4774-9555-A0624F
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\6FD4DB7D-EA92-4681-9270-5C7E8D\79C1B10E-57FF-482E-BFDD-2E00DB
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\753159DF-9885-4282-BD7A-7DA8AE\94B64EE5-C43F-42A6-815C-CA716B
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\75524EE8-F73F-4305-9981-0112BB\ABF6E3CD-9C64-4E9D-94C2-452857
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\774B282D-DB46-467A-A592-19FA8F\A2309EFC-C11D-4BC0-B8D3-07C6B0
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779A72A4-A24E-40BC-8D3F-E78859\32F3EFB6-A841-4F42-8222-FD763E
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\78ADF565-1803-4DF4-A07E-245480\D1C54916-08C3-4BA1-8E3C-2445DA
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7C31802D-BA81-45BB-80A3-AA9933\6994271C-79C0-4C21-9492-61C44E
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7D4F8176-5284-401A-B567-537C30\4B6D1ACF-48BE-40AC-B15D-A67AED
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\84B2F9BC-51A5-4E53-9869-0A2687\B5137818-6C6A-45F9-945C-7CE6A2
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\84C3F113-1CB5-4C27-941D-14D795\F5656C26-A792-4774-B13D-2618CD
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85CF0AB7-A775-44C0-9D67-A7DF75\F5B1605C-6A17-4189-B921-311556
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\861AE8E8-6B61-4475-9BC2-54214E\31A72AB1-56FE-4163-ACFE-A146AA
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\88BE2C05-5A6A-4AFC-9906-B36E52\8353D150-E6F1-4DAA-966B-B8E1E2
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\898343A2-CD56-474D-BDB5-274385\4693ED5A-26FB-4020-94D6-DF5066
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8BCB540C-4D2D-4635-A4B8-80A9DB\983172D7-C73A-4976-9B7D-3116D8
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\93444152-2455-4A46-9051-904247\B89A7933-8654-427E-8D5E-F50D5C
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\99E59442-8A5D-4F4D-98EE-D57B5A\E6160663-5C8E-44A6-B42C-63BF64
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A03DE86B-B132-4974-AD5C-DEB0BE\F646C407-728C-4F94-867D-BAC9AE
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A86C8ACE-AB71-4203-8F0E-84EE61\C3B88FCD-01C4-48A1-93BC-B666E3
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AA75FCC9-E0B8-4C37-9239-98391F\EAFD6729-A144-4776-8F7E-3C1B51
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAAE6DD2-6868-46F8-A246-3CC643\EAFE9EA4-6E21-41D3-AE03-4701E0
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B761B760-101B-4916-ABCE-FC79C2\723A2F89-4015-4B2E-8E81-844058
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BA166F96-2C9C-4F10-9BB9-8300A1\789B76E0-2797-4D57-8F9F-E00472
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BEE08379-1FD2-44A1-AA2C-53D668\8AE77B2F-F1D1-457A-8AA7-1A1A2C
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3AAF797-ABDE-484A-9A68-60A26E\DAEDD5A8-74C4-412E-B06E-CCD122
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CB249D81-AE66-4CFE-8537-9332F7\0671AF45-A7D4-43A3-9D78-DF4C77
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CFEAD761-C076-42BB-9DBE-72EA5F\59BB9B2D-5EFD-4411-AE46-2F5870
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D09812E3-6011-4F27-A038-CBB3C1\FBC2D03D-1436-4324-A8DE-B6215A
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D8D88FB1-FEDF-4993-83C6-B7A7E8\9E0FC6C6-41CC-4C8D-9553-371CCE
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\DE387B8B-7DF4-499A-B20C-F17FE0\A9ECD338-57B4-4B46-BFD2-CC7039
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E0DA7995-A051-41A1-94C0-1052CD\9F30376D-8F28-4370-9032-BF95DD
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E23F95B5-CA67-4231-AD39-4F1A82\DD74FA70-780D-4E03-B9B5-1800CD
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E2AD1962-15CE-412D-B6AA-1A25EA\893A289A-0DF1-4CB0-BEB5-717829
Adware:Adware/Twain-Tech No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F03294F7-247A-4A2D-AEC9-EB0F8E\86F0D4A9-7045-431F-A2DE-DAF2AC
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F4459F9B-3B5F-4C99-B729-B3AE9E\8850637A-BF0F-4A10-BA22-8F1993
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F96EE07D-C6F4-42E7-AB14-06BCDD\648E31A3-5047-4C42-B38C-CEEAA1
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FF95A598-EFAD-4199-A56C-1A2718\FF07DFB6-9FE0-4810-8697-D2977B
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP323\A0058048.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP323\A0058086.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP324\A0058544.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP324\A0058549.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP325\A0059119.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP326\A0059147.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP327\A0059168.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP328\A0059191.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP328\A0059263.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP329\A0059361.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP331\A0059437.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP338\A0060735.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP338\A0060741.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP339\A0061025.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP340\A0061698.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP341\A0061719.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP342\A0061786.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP343\A0062195.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP343\A0062199.inf
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP343\A0062248.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP344\A0063377.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP345\A0063996.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP346\A0064574.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP347\A0064595.dll
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP347\A0064596.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP347\A0064598.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP348\A0064619.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP348\A0064754.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP349\A0064973.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP350\A0065042.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP350\A0065046.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP351\A0065076.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP351\A0065095.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP351\A0065103.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP352\A0065204.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP353\A0065234.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP354\A0065255.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP355\A0065285.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP356\A0065307.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP356\A0065311.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP357\A0065349.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP358\A0065386.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP359\A0065421.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP360\A0065498.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP361\A0065520.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP362\A0065907.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP363\A0066894.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP364\A0066999.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP364\A0067004.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP365\A0067030.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP366\A0067226.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP367\A0067498.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP368\A0067531.dll
Virus:Trj/Imiserv.D Disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP368\A0067532.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP368\A0067534.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP369\A0067555.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP369\A0067951.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP370\A0067980.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP371\A0068013.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP372\A0068039.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP375\A0068099.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP376\A0068129.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP377\A0068255.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP378\A0068366.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP379\A0068392.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP380\A0068516.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP381\A0068538.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP382\A0068559.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP382\A0068560.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP383\A0068583.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP384\A0068650.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP385\A0068671.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP386\A0068694.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP387\A0068734.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP388\A0068756.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP389\A0068778.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP390\A0068813.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069323.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069329.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069418.inf
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069433.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069435.dll
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069436.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069759.exe
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069806.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0069914.inf
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0070011.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0070013.inf
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP391\A0070015.exe


This is the last HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:57 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\ggviewer81-39.exe
C:\WINDOWS\SYSTEM32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wang\Local Settings\Temporary Internet Files\Content.IE5\87WYCQ4Y\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.DAI.com:80;gopher=proxy.DAI.com:80;http=proxy.DAI.com:80;https=proxy.DAI.com:80;socks=proxy.DAI.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.williamoneil.com;*.dailygraphs.com;www.investors.com;198.190.229.*;172.22.*.*;netdai.com;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wang\Desktop\l2mfix\second.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.dailygrap.../WonSearchX.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.webster.c.../webinstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099505347117
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.dailygrap...ocx/WonList.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors...ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.dailygrap.../ocx/PFMngr.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dai.netdai.com
O17 - HKLM\Software\..\Telephony: DomainName = dai.netdai.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F513850-4F26-4F49-A2A8-4DCA701835EE}: NameServer = 172.22.10.66,172.22.10.67,172.22.60.14,172.22.60.18
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dai.netdai.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = dai.netdai.com,wonda.netdai.com,netdai.com,williamoneil.com,investors.com,ibd_editorial.netdai.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F513850-4F26-4F49-A2A8-4DCA701835EE}: NameServer = 172.22.10.66,172.22.10.67,172.22.60.14,172.22.60.18
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dai.netdai.com,wonda.netdai.com,netdai.com,williamoneil.com,investors.com,ibd_editorial.netdai.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Se
  • 0

Advertisements


#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Patricia_432

Please read through the instructions before you start (you may want to print this out).

HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it will be lost. Please create a new folder for it and place the program into that new folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wang\Desktop\l2mfix\second.bat
Click on Fix Checked when finished and exit HijackThis.

Delete all Quarantined items in Microsoft AntiSpyware
C:\Program Files\Microsoft AntiSpyware\Quarantine

Turn of system restore
Disabling or enabling Windows XP System Restore
Defrag your hard drive. Turn system restore back on and create a new restore point.

Please run the following free, online virus scans.
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#12
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi, Kc,

Thanks for your reply. I do have a lot download, and those popups bother me a lot. Do you have any instruction for system restore?

Appreciate.

Patricia
  • 0

#13
Guest_thatman_*

Guest_thatman_*
  • Guest
Yes all you need to do:

Turn of system restore
Disabling or enabling Windows XP System Restore
Click : http://service1.syma...src=sec_doc_nam
Defrag your hard drive. Turn system restore back on and create a new restore point.

Kc :tazz:
  • 0

#14
Patricia_432

Patricia_432

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kc,

I followed your instructions, but I still got winfixer installer pops up after I login. Nothing found from housecall.

This is the log of ActiveScan and HijackThis.
Thanks,
Patricia

ActiveScan:

Incident Status Location

Adware:adware/topmoxie No disinfected Windows Registry

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:17 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\ggviewer81-39.exe
C:\WINDOWS\SYSTEM32\logon.scr
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.DAI.com:80;gopher=proxy.DAI.com:80;http=proxy.DAI.com:80;https=proxy.DAI.com:80;socks=proxy.DAI.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.williamoneil.com;*.dailygraphs.com;www.investors.com;198.190.229.*;172.22.*.*;netdai.com;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.dailygrap.../WonSearchX.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.webster.c.../webinstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099505347117
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.dailygrap...ocx/WonList.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors...ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.dailygrap.../ocx/PFMngr.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dai.netdai.com
O17 - HKLM\Software\..\Telephony: DomainName = dai.netdai.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F513850-4F26-4F49-A2A8-4DCA701835EE}: NameServer = 172.22.10.66,172.22.10.67,172.22.60.14,172.22.60.18
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dai.netdai.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = dai.netdai.com,wonda.netdai.com,netdai.com,williamoneil.com,investors.com,ibd_editorial.netdai.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F513850-4F26-4F49-A2A8-4DCA701835EE}: NameServer = 172.22.10.66,172.22.10.67,172.22.60.14,172.22.60.18
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dai.netdai.com,wonda.netdai.com,netdai.com,williamoneil.com,investors.com,ibd_editorial.netdai.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Intuit, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Patricia_432

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP