[rozellh]

I've followed instructions on your start page up to the windows update.

Here is the HiJackThis log information:

Logfile of HijackThis v1.99.1
Scan saved at 3:27:03 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\110135~1\EE\AOLHOS~1.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\COMMON~1\AOL\110135~1\EE\AOLServiceHost.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Wesley Moss\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101355280\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/...tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126292734359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download KazaaBegone http://www.greyknigh...KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknigh.../WinsockFix.zip just in case you need it (if it breaks your internet connection, run it).

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

Uninstall these via the Add/Remove panel if listed:

Precision Time
Altnet
Kazaa
P2P Networking

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Locate and delete the following:

C:\WINDOWS\System32\DSMANA~1.DLL
C:\Program Files\WildTangent\
C:\Program Files\Common files\updmgr\
C:\WINDOWS\System32\P2P Networking\
C:\Program Files\Kazaa\
C:\Program Files\Altnet\
C:\Program Files\PrecisionTime\

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.

[greyknight17]

Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download KazaaBegone http://www.greyknigh...KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknigh.../WinsockFix.zip just in case you need it (if it breaks your internet connection, run it).

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

Uninstall these via the Add/Remove panel if listed:

Precision Time
Altnet
Kazaa
P2P Networking

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Locate and delete the following:

C:\WINDOWS\System32\DSMANA~1.DLL
C:\Program Files\WildTangent\
C:\Program Files\Common files\updmgr\
C:\WINDOWS\System32\P2P Networking\
C:\Program Files\Kazaa\
C:\Program Files\Altnet\
C:\Program Files\PrecisionTime\

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.

[rozellh]

I am unable to get to this url page:

http://forums.net-in...=post&id=142443

I am getting an:

HTTP 404 - File not found

[greyknight17]

Please do NOT copy and paste like you do regularly. As you can see, the link I posted has those....in it. That's because the address is too long and the forum shortened it a little, but the link is still intact there. Right click and choose Copy Link Location instead and then paste. That will work. You just did a regular Copy (Copy text) instead. Or just click on the link I gave you and it will open up instantly.

[rozellh]

Ewido Report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:37:16 PM, 9/10/2005
+ Report-Checksum: 6A5ED2A5

+ Scan result:

HKLM\SOFTWARE\Classes\DashBarToolbar.SearchScoutBandObj -> Spyware.Gator : Error during cleaning
HKLM\SOFTWARE\Classes\Softomate.IEToolbar -> Spyware.CoolWebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0078555.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP626\A0078669.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP626\A0078734.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP626\A0079733.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP627\A0079771.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP627\A0079820.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0079895.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0080899.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0081921.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0082902.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0083901.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0084919.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0085913.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0086907.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0087925.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0088935.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0088955.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0089956.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0090955.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0091955.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0092953.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0093955.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP628\A0094955.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP629\A0095156.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP629\A0095157.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP629\A0095158.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP630\A0095188.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP630\A0095368.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP630\A0095409.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP631\A0095445.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\WINDOWS\etb\nt_hide65(3).dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\WINDOWS\etb\nt_hide65(4).dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\WINDOWS\etb\nt_hide65(5).dll -> TrojanDownloader.Agent.tv : Cleaned with backup


::Report End


Findit's Log:


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 09/10/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 3872-6A3F

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3872-6A3F

Directory of C:\WINDOWS\system32

12/07/2001 01:40 PM 22,486 LRNXP.ICO
1 File(s) 22,486 bytes
0 Dir(s) 48,085,483,520 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


Hijackthis Log (Safe Mode)

Logfile of HijackThis v1.99.1
Scan saved at 4:44:37 PM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Wesley Moss\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://free.aol.com/...&service=aolhsb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101355280\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/...tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126292734359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


HiJackThis (Normal Mode)

Logfile of HijackThis v1.99.1
Scan saved at 5:05:00 PM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\110135~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110135~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Wesley Moss\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101355280\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/...tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126292734359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I included the 2nd HiJackThis log because I noticed that the "www.web--search.com" took over the home page in normal mode where it did not show up when I was in safe mode.

[greyknight17]

Safe Mode? Please do not run the scan log that you will be posting here in Safe Mode. HijackThis should only be run in Safe Mode to do the fixes ONLY. When we ask for a new HijackThis log, it must be run in Normal Mode in order to be the most accurate.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DashBarToolbar.SearchScoutBandObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Softomate.IEToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginDown]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginInst]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Download LQFix http://users.telenet...tools/LQfix.exe and click on Install. Go to your Desktop and open up the LQfix folder. Double click on ClickThis.bat to run it.

Check and fix these in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

Boot into Safe Mode and run Ewido again. Save the log.

Delete this folder if found -> C:\WINDOWS\etb\

Restart and boot into Normal Mode again. Post the Ewido log you saved along with a new HijackThis log.

[rozellh]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:55:19 AM, 9/11/2005
+ Report-Checksum: 5EA9A5FA

+ Scan result:

HKLM\SOFTWARE\Classes\DashBarToolbar.SearchScoutBandObj -> Spyware.Gator : Error during cleaning
HKLM\SOFTWARE\Classes\Softomate.IEToolbar -> Spyware.CoolWebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Error during cleaning
C:\Documents and Settings\Wesley Moss\Local Settings\Temporary Internet Files\Content.IE5\1RHPF11V\SetData[1].htm -> Trojan.Smitfraud : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP637\A0097270.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP637\A0097271.dll -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP637\A0097272.dll -> TrojanDownloader.Agent.tv : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 3:58:46 AM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\110135~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110135~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Wesley Moss\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101355280\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/...tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126292734359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete DashBarToolbar.SearchScoutBandObj

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete Softomate.IEToolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginDown

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginInst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Boot into Safe Mode and run another Ewido scan. Restart and post the Ewido log here.

[rozellh]

I am unable to delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginDown

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginInst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject

[rozellh]

Disregard previous post. The following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginDown

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginInst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject

were owned by a different user account on the workstation. After logging on as that user and giving the user full control of the keys I was able to delete the above keys. I am currently running ewido and will post scan log shortly.

[rozellh]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:55:06 PM, 9/11/2005
+ Report-Checksum: C1C2A73

+ Scan result:

No infected objects found.


::Report End

[greyknight17]

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[rozellh]

Everything is working great. I appreciate all your help in this matter.

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.