Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

firefox won't open, popups, can't rid malware [RESOLVED]

Started by zelophedad , Oct 05 2005 12:04 PM

This topic is locked

#1
zelophedad

Posted 05 October 2005 - 12:04 PM

Member

Member
30 posts

Hi,
I tried posting this once and was re-directed to download the v199.1 of HJT, hopefully I got it right this time. (I checked and double-checked and did not see my original post so this shouldn't be a double-posting)

I have spent 2 days reading FAQs, viewing forums and responses to other people's problems, checking links, googling suspicious programs, services etc. and I'm at my wit's end. I'm woman enough to admit when I'm beat. Sadly, I may have done more harm than good at this point, so I'm hoping that some Geek prince/princess will have mercy on a damsel in distress.

I lent my sony vaio PCG-z505RX with Win2K to a friend (now former friend) and when I got it back it was so infected/hijacked that it wouldn't even boot. It had 10-20 pop-up error windows for files that couldn't load. I managed to get it booted in safe mode and ran Ad-aware, Avast anti-virus, Trojan Guard, Ewido all of which kept finding over 300 "incidents" I even got it booted in normal mode and ran all the programs again (which kept finding more) I saved all the logs if it is necessary to look back. In addiition, I did Add/Remove on any programs that looked suspicious, such as Best Offers etc., checked links on how to remove them etc. It almost seems that after every boot, the virus/malware keep replicating even after I clean them.

However, even though it can now boot up, it is running VERY slowly, CPU runs at 100% most of the time. I'm still getting IE type pop-ups (without IE even running) but the most frustrating is that I can't get firefox to load. I also can't open the IE program (not that I'd ever use it) and the only way I can browse is via the explorer application in windows (i.e., open My Documents)

The error when trying to open firefox is: "Firefox has generated errors and will be closed by Windows. You need to restart the program. An error log is being created" I figured that I may have killed an important dll or something when I cleaned everything, so I downloaded a new version of firefox, installed it and it still doesn't work.

Any assistance is appreciated, and thank you very much in advance for your help, this computer is unusable and I do not have the OS anymore (long story) so a complete wipe and reload is next to impossible. I've attached the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:21 AM, on 10/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\tquaie.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\nfomon\nfomon.exe
C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\WINNT\system32\n?pdb.exe
C:\WINNT\TEMP\cornseedB.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msst\msst.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Windows\services32.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\nara\oiri.exe
C:\WINNT\notepad.exe
C:\Documents and Settings\Administrator\My Documents\Software\HijackThis199.exe

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: (no name) - {003866F8-1A54-4E7C-98E3-6FD935B29200} - C:\WINNT\tzrvijaq.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: (no name) - {39F53664-ADFD-8A0A-80CD-F00A745DA9C8} - C:\WINNT\system32\pezzg.dll
O2 - BHO: (no name) - {3FF53E15-ADFD-F80F-80BB-F80A7553A9BA} - C:\WINNT\system32\pezzg.dll
O2 - BHO: (no name) - {68F43632-ABA8-8E08-80CD-F00A745DA9C8} - C:\WINNT\system32\rbj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINNT\system32\AdCom.dll
O2 - BHO: (no name) - {EC928E70-10C6-4061-B048-470145E12FBB} - C:\WINNT\system32\phemdj.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O3 - Toolbar: Search - {44DCCC62-AE9B-51E1-17E2-BD279A4EFE70} - C:\WINNT\tzrvijaq.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [d060] C:\WINNT\exe82.exe
O4 - HKLM\..\Run: [System service67] C:\WINNT\etb\pokapoka67.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\dk4sxx.exe reg_run
O4 - HKLM\..\Run: [inwmg] C:\WINNT\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\dk4sxx.exe reg_run
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINNT\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Nfo] C:\WINNT\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [adcomplusanalytic.exe] C:\WINNT\system32\adcomplusanalytic.exe
O4 - HKLM\..\Run: [sqyofia] C:\WINNT\system32\tquaie.exe r
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Sgraofok] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [cornseedB.exe] C:\WINNT\TEMP\cornseedB.exe
O4 - HKCU\..\Run: [Ttcs] "C:\Program Files\nara\oiri.exe" -vt rbnd
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\system32\wuauclt.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\qqap.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

#2
greyknight17

Posted 05 October 2005 - 01:23 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Do you know what this program is for?

O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: (no name) - {003866F8-1A54-4E7C-98E3-6FD935B29200} - C:\WINNT\tzrvijaq.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: (no name) - {39F53664-ADFD-8A0A-80CD-F00A745DA9C8} - C:\WINNT\system32\pezzg.dll
O2 - BHO: (no name) - {3FF53E15-ADFD-F80F-80BB-F80A7553A9BA} - C:\WINNT\system32\pezzg.dll
O2 - BHO: (no name) - {68F43632-ABA8-8E08-80CD-F00A745DA9C8} - C:\WINNT\system32\rbj.dll
O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINNT\system32\AdCom.dll
O2 - BHO: (no name) - {EC928E70-10C6-4061-B048-470145E12FBB} - C:\WINNT\system32\phemdj.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O3 - Toolbar: Search - {44DCCC62-AE9B-51E1-17E2-BD279A4EFE70} - C:\WINNT\tzrvijaq.dll
O4 - HKLM\..\Run: [d060] C:\WINNT\exe82.exe
O4 - HKLM\..\Run: [System service67] C:\WINNT\etb\pokapoka67.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\dk4sxx.exe reg_run
O4 - HKLM\..\Run: [inwmg] C:\WINNT\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\dk4sxx.exe reg_run
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINNT\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Nfo] C:\WINNT\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [adcomplusanalytic.exe] C:\WINNT\system32\adcomplusanalytic.exe
O4 - HKLM\..\Run: [sqyofia] C:\WINNT\system32\tquaie.exe r
O4 - HKCU\..\Run: [Sgraofok] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [cornseedB.exe] C:\WINNT\TEMP\cornseedB.exe
O4 - HKCU\..\Run: [Ttcs] "C:\Program Files\nara\oiri.exe" -vt rbnd
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\system32\wuauclt.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\qqap.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Uninstall Freeprod, Internet Optimizer and SurfSideKick via your Add/Remove panel.

Locate and delete the following:

C:\WINNT\system32\tquaie.exe (or whatever the name may have changed to, as noted above).
C:\Documents and Settings\All Users\Application Data\msst\
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\DNS\
C:\Program Files\Freeprod Toolbar\
C:\Program Files\Internet Optimizer\
C:\Program Files\nara\
C:\Program Files\SurfSideKick 3\
C:\WINNT\dsr.dll
C:\WINNT\etb\pokapoka67.exe
C:\WINNT\exe82.exe
C:\WINNT\Nail.exe
C:\WINNT\nem220.dll
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\
C:\WINNT\svcproc.exe
C:\WINNT\system32\AdCom.dll
C:\WINNT\system32\adcomplusanalytic.exe
C:\WINNT\system32\dk4sxx.exe
C:\WINNT\system32\mmxp2passion.exe
C:\WINNT\system32\nfomon\
C:\WINNT\system32\phemdj.dll
C:\WINNT\system32\qqap.dll
C:\WINNT\system32\rbj.dll
C:\WINNT\system32\w130713.Stub.EXE
C:\WINNT\system32\wuauclt.dll
C:\WINNT\tzrvijaq.dll

Do a search for n?pdb.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Restart your computer. Post the logs for HijackThis and Ewido.

#3
zelophedad

Posted 05 October 2005 - 03:27 PM

Member

Topic Starter
Member
30 posts

Thanks for your response. I printed your instructions and am 1/4 of the way through. One quick question, toward the end your instruction to:

Locate and delete the following:

C:\WINNT\system32\tquaie.exe (or whatever the name may have changed to, as noted above).
C:\Documents and Settings\All Users\Application Data\msst\
etc
etc.
etc.

Am I supposed to find these manually? i.e. by using windows search or even navigating directly?

thanks, will keep you posted with logs etc when done, you've been great so far, I appreciate the quick response (I just got back from the vet, my cat is fine, but I'm a little stressed)

#4
greyknight17

Posted 05 October 2005 - 04:24 PM

Malware Expert

Visiting Consultant
16,560 posts

You may navigate to the corresponding path directly and delete them. All of them have file locations there so no need to do any searching. I think I even sorted the file locations for you for easy access

Well, let's hope we can get rid of that stress for you also

#5
zelophedad

Posted 05 October 2005 - 04:42 PM

Member

Topic Starter
Member
30 posts

Thanks a bunch, I'm still running ewido, 60 mins so far and it's @ 93%.

forgot to answer your other question which was:

"Do you know what this program is for?
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus"

Answer: I have absolutely NO IDEA, my friend had a dogsitter at her place while she was away and the dogsitter downloaded a bunch of stuff and this was one of the many nefarious objects that I found.

The computer was CLEAN when I gave it to her, I have no idea what she loaded, I've been cleaning "friends and family" boxes for a while and I didn't recognize most of the stuff on this, which is why I punted after 2 days and asked you (the collective "you" that is)

Thanks again, will post logs and results when done

-Lou

#6
greyknight17

Posted 05 October 2005 - 04:48 PM

Malware Expert

Visiting Consultant
16,560 posts

Hi Lou, you may remove that TagASaurus program if you want then. I can't find much information on it...

It should be close to finishing now for that Ewido scan. It seems to take the longest on the final stages (as you're nearing 100%) :tazz:

#7
zelophedad

Posted 05 October 2005 - 06:33 PM

Member

Topic Starter
Member
30 posts

Hi Greyknight17

well, It's better, but not quite there yet. I'm getting popups like crazy even before opening up a browser, so clearly there still some insidious programs that were not caught by the afore steps.

I'll post the HJT log at the end, but here are a few comments on the procedure:

1) Of the list of HJT files/directories that you told me to check, some files/directories that were not in the HJT log after the ewido can. I kept track, if you need me to send the ones that weren't there I can do that

2) I couldn't uninstall freepod in Add/Remove, clicked on it and nothing happened, also SurfSideKick and Int. Optimizer were not in the Add/Rem Programs

3) On the "Locate and Delete" files section, many of the files were not there (anymore) I searched for them and couldn't find them. (I saved the list if you need it)

4) Did a search for n?pdb.exe and couldn't find it anywere, (tried all different places)

I decided to run the most recent (1.06) Adaware for now b4 ewido to see if it can kill whatever is causing all the popups, although I'm worried that since something has taken over, Adaware won't be able to kill it. The popups are coming from "partypoker.com", "Goodwebsites", "Venus123" and others that just have IP addresses. Also, and this is weird, I have 3 shortcuts on my desktop that say: "Get $50 Free", "Golden Tiger Casino" and "Search the Web" The Properties of the first 2 are URLs that are garbage and the "Search the Web" is an Application with a target in C:\Documents and Settings\All Users\Application Data\msw\MSW.exe"

One more thing, I don't have an ipod and the itunes program seems to have been downloaded but never installed, should I just delete it?

Here is the most recent HJT log, I'm doing Adaware right now and so far it has found 3 reg keys, 9 reg values and 17 files. I'll do ewido after, but it will probably run for 60+ minutes.

Oh yeah and most important, thanks so much for your help with this. Last week, I spent 2 days fixing my friend's network and their infected computers (teenage daughters, need I say more???) and when they wanted to pay me, I said no b/c I believe in karma and that someday someone would do the same for me, boy it sure came around fast!

Logfile of HijackThis v1.99.1
Scan saved at 5:36:15 PM, on 10/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Palm\HOTSYNC.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Documents and Settings\Administrator\My
Documents\Software\HJT\HijackThis199.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher -
{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program
Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common
Files\mc-58-12-0000106.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program
Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) -
https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload
ActiveX Control) - http://www.snapfish....pfishUpload.cab
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\qqap.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner
- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program
Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner -
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe

#8
greyknight17

Posted 05 October 2005 - 07:42 PM

Malware Expert

Visiting Consultant
16,560 posts

Don't worry, if something is not there anymore, just continue on.

For the freeprod one, go into HijackThis->Config->Misc Tools->Open Uninstall Manager and look for Freeprod. Click on it once and then hit the Delete this entry button on the right.

Delete this folder (C:\Documents and Settings\All Users\Application Data\msw\) and the 3 shortcuts you see on your desktop.

Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it.

Uninstall iTunes if you don't want it or didn't install it.

Ad-aware usually doesn't take an hour unless there's a lot of files on your machine (possibly many infected?). Usually 30 minutes or so if will be completed.

No problem, glad we could help

Where's the Ewido log? That's ok, we'll run it again :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop cmdService
sc delete cmdService
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\qqap.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe

Locate and delete the following:

C:\Program Files\Common Files\services.exe
C:\Program Files\DNS\
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\WINNT\system32\qqap.dll
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\

Restart your computer. Post the logs for HijackThis and Ewido. Also give me this log:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

#9
zelophedad

Posted 05 October 2005 - 08:14 PM

Member

Topic Starter
Member
30 posts

Greyknight17,

Thanks a bunch, I probably should have waited for your reply; I did find the msw and msst files and already deleted them. I also ran a deep scan in Adaware and found over 200 objects and many of them were malware so I quarrantined and deleted them.

Is it still OK for me to follow the instructions you just sent? I'm running out the door to a hockey game (yes, I live in california, I'm over-40, female and I play in a men's hockey league, OK, I'm a masochist) so I won't start it until I get home which is ~10PM PST and if you are in NY, then you'll be asleep.

Anyhow, if you have a second, just say go or no go and I'll attack it tonight.

Really appreciate the help :tazz:

-Lou

#10
greyknight17

Posted 05 October 2005 - 08:54 PM

Malware Expert

Visiting Consultant
16,560 posts

Hi Lou, no problem with a female playing in men's hockey league :tazz:

10PM PST? LOL. I'll still be here around that time (probably 11PM or 12AM here in NY). But here's my reply...

Yes, go ahead with the fix I just posted.

#11
zelophedad

Posted 06 October 2005 - 03:10 AM

Member

Topic Starter
Member
30 posts

Hi again

Well, I went at it again for a few more hours, as long as you're not going to give up, I'll keep plugging, but it's still not "clean" nor is the procedure without some discrepancies. The computer is still running kind of slow and I did get some popups initially, (but strangely they're not popping up now that I'm watching as I type on my other machine)

Here's what went on

1) Everything went fine until the HJT Fixing, you had said to check this:

O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\qqap.dll
but I had:

O20 - Winlogon Notify: Extensions - C:\WINNT\system32\qqap.dll
Later in the delete process it wouldn't delete, but I'll get to that. Also,

2) In the locate and delete part,
C:\Program Files\Common Files\services.exe was a directory and I deleted it, hope it was OK

Also in the delete section, I could NOT delete this: C:\WINNT\system32\qqap.dll
I kept getting a windows sharing violation and it wouldn't delete, far as I know it is still there (?)

3) After the reboot, a DOS window opened up and ran some program but it went by so fast I didn't catch what is was, although I don't have a good feeling about it. I think it was in C:\WINNT\system32\cmd.exe, but again I don't know what ran.

4) Also, I don't need the Snapfish or Plaxo applications, so any advice on how to ditch that would be appreciated. I get the feeling that Add/Rem won't quite cut it.

Here are the logs, I made sure that "Word Wrap" is NOT checked, is that how you wanted it?

Thanks again, I wish I could wipe this and start over, but I don't have copies of the OS anymore and in fact, I never had them. Sony is pretty cheeky about that and they have all kinds of special drivers that make it really hard (which is why I never bought sony again)

--------------------------------------------------
EWIDO LOG:

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:53:56 AM, 10/6/2005
+ Report-Checksum: 24643C48

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InternetOffers -> Spyware.LZIO : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenSaver Manager -> Spyware.LZIO : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Security -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Enum -> Spyware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-117609710-1708537768-2055841523-500\Software\DNS -> Adware.Shorty : Cleaned with backup
[432] C:\WINNT\system32\afctres.dll -> Spyware.Look2Me : Error during cleaning
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\DNS\gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\Ftk\f.bak -> Spyware.FlashEnhancer : Cleaned with backup
C:\Program Files\Ftk\ftk.dll -> Spyware.FlashEnhancer : Cleaned with backup
C:\WINNT\system32\OBENGL32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\tygs\ljmueuh.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINNT\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\ccl3dv2.dll -> Spyware.Look2Me : Cleaned with backup

::Report End

=================================================

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:56:01 AM, on 10/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\Administrator\My Documents\Software\HJT\HijackThis199.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {1D8D18FD-21A4-DC8B-E749-A72DD05B12FD} - C:\WINNT\system32\uucnalqt\rypnsuwh.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cbsam] C:\WINNT\system32\xjadleco\cbsam.exe
O4 - HKLM\..\Run: [acbr] C:\WINNT\system32\lymspiuw\acbr.exe
O4 - HKLM\..\Run: [agpyg] C:\WINNT\system32\ltsi\agpyg.exe
O4 - HKLM\..\Run: [uomk] C:\WINNT\system32\adputero\uomk.exe
O4 - HKLM\..\Run: [qkys] C:\WINNT\system32\aaapttb\qkys.exe
O4 - HKLM\..\Run: [sxjy] C:\WINNT\system32\kykovrhh\sxjy.exe
O4 - HKLM\..\Run: [kcovv] C:\WINNT\system32\dkdlch\kcovv.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O20 - Winlogon Notify: Extensions - C:\WINNT\system32\qqap.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: qkysaaapttb - Unknown owner - C:\WINNT\system32\aaapttb\qkys.exe

==============================================

Here is the l2mfix log

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau]
"Asynchronous"=dword:00000000
"DllName"=hex(2):6e,00,77,00,70,00,72,00,6f,00,76,00,61,00,75,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"LogoffPostProfileUnload"="WinlogonLogoffPostProfileUnloadEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\qqap.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{999E60FE-6F00-5029-A551-9F37A6E3FA9A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}"="Shell extensions for NetWare"
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}"="Shell extensions for NetWare"
"{52c68510-09a0-11cf-8daa-00aa004a5691}"="Shell extensions for NetWare"
"{082304A8-A594-4381-B668-00A816181202}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{2BDBD95E-2643-4A86-8718-0EC8E2811A12}"=""
"{1A413548-8A95-4A8E-9FD4-E5EE74ABE89D}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{082304A8-A594-4381-B668-00A816181202}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{082304A8-A594-4381-B668-00A816181202}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{082304A8-A594-4381-B668-00A816181202}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{082304A8-A594-4381-B668-00A816181202}\InprocServer32]
@="C:\\WINNT\\system32\\OBENGL32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2BDBD95E-2643-4A86-8718-0EC8E2811A12}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2BDBD95E-2643-4A86-8718-0EC8E2811A12}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2BDBD95E-2643-4A86-8718-0EC8E2811A12}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2BDBD95E-2643-4A86-8718-0EC8E2811A12}\InprocServer32]
@="C:\\WINNT\\system32\\ccl3dv2.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A413548-8A95-4A8E-9FD4-E5EE74ABE89D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A413548-8A95-4A8E-9FD4-E5EE74ABE89D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A413548-8A95-4A8E-9FD4-E5EE74ABE89D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A413548-8A95-4A8E-9FD4-E5EE74ABE89D}\InprocServer32]
@="C:\\WINNT\\system32\\UWAT.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Volume in drive C has no label.
Volume Serial Number is 195B-13E9

Directory of C:\WINNT\System32

10/06/2005 01:32a 417,792 UWAT.DLL
09/29/2005 06:31a 401,408 d?xplore.exe
09/08/2005 11:09p 417,792 qqap.dll
09/08/2005 06:47a 401,408 n?pdb.exe
08/12/2003 12:04p <DIR> dllcache
4 File(s) 1,638,400 bytes
1 Dir(s) 1,860,902,912 bytes free

#12
zelophedad

Posted 06 October 2005 - 11:41 AM

Member

Topic Starter
Member
30 posts

Augh, I'm practically in tears; I finished everything at 2:00 AM and left it on overnight to see if it would stay "clean" and it didn't

I had 10+ popups this morning from all kinds of sites such as oas-central.realmedia.com, jamster.com. singlesnet.com, reunion.com opened in IE. infotrack.net seemed to be the catalyst as that was what firefox was redirected to. Also there is an extra toobar added to my firefox for something called "search fast" and it is the spawn of Satan and seems to be sending data back and forth. And this you probably know, the computer is barely responding to me and seems to be doing everything else except open documents, CPU is spinning etc.

I did an HJT so we'd have a snapshot and then using HJT, I looked at the list of programs and found that Searchfast 1.0.0.11, Search fast Communicator, The Best Offers were added, in addition OIN was there and I know that is malware (or something) so I removed that. I also deleted Snapfish Photo Show and Plaxo b/c I never use them

HEre's the HJT (with word wrap "unchecked") log BEFORE I removed the programs and BEFORE the reboot, I'll post the next one in the next response:

Thanks again, sorry this is taking so much time.

-Lou

Logfile of HijackThis v1.99.1
Scan saved at 10:23:31 AM, on 10/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\aaapttb\qkys.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\xjadleco\cbsam.exe
C:\WINNT\system32\lymspiuw\acbr.exe
C:\WINNT\system32\ltsi\agpyg.exe
C:\WINNT\system32\adputero\uomk.exe
C:\WINNT\system32\kykovrhh\sxjy.exe
C:\WINNT\system32\dkdlch\kcovv.exe
C:\program files\tvs\tvs_b.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\My Documents\Software\HJT\HijackThis199.exe

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {1D8D18FD-21A4-DC8B-E749-A72DD05B12FD} - C:\WINNT\system32\uucnalqt\rypnsuwh.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cbsam] C:\WINNT\system32\xjadleco\cbsam.exe
O4 - HKLM\..\Run: [acbr] C:\WINNT\system32\lymspiuw\acbr.exe
O4 - HKLM\..\Run: [agpyg] C:\WINNT\system32\ltsi\agpyg.exe
O4 - HKLM\..\Run: [uomk] C:\WINNT\system32\adputero\uomk.exe
O4 - HKLM\..\Run: [qkys] C:\WINNT\system32\aaapttb\qkys.exe
O4 - HKLM\..\Run: [sxjy] C:\WINNT\system32\kykovrhh\sxjy.exe
O4 - HKLM\..\Run: [kcovv] C:\WINNT\system32\dkdlch\kcovv.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\qqap.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: qkysaaapttb - Unknown owner - C:\WINNT\system32\aaapttb\qkys.exe

#13
zelophedad

Posted 06 October 2005 - 12:02 PM

Member

Topic Starter
Member
30 posts

Hi

Here is the next HJT log that was generated after the reboot (in safe mode)

Should it still have the dll for srchfst and the srchfst update? Also, I delted Plaxo and Photoshow, but there are still references to them.

Any help is appreciated. I'm running adaware now to see if it can kill some of the ad malware. Any idea what I should do next?

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:41:40 AM, on 10/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\Software\HJT\HijackThis199.exe

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {1D8D18FD-21A4-DC8B-E749-A72DD05B12FD} - C:\WINNT\system32\uucnalqt\rypnsuwh.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cbsam] C:\WINNT\system32\xjadleco\cbsam.exe
O4 - HKLM\..\Run: [acbr] C:\WINNT\system32\lymspiuw\acbr.exe
O4 - HKLM\..\Run: [agpyg] C:\WINNT\system32\ltsi\agpyg.exe
O4 - HKLM\..\Run: [uomk] C:\WINNT\system32\adputero\uomk.exe
O4 - HKLM\..\Run: [qkys] C:\WINNT\system32\aaapttb\qkys.exe
O4 - HKLM\..\Run: [sxjy] C:\WINNT\system32\kykovrhh\sxjy.exe
O4 - HKLM\..\Run: [kcovv] C:\WINNT\system32\dkdlch\kcovv.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: Setup - C:\WINNT\system32\qqap.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: qkysaaapttb - Unknown owner - C:\WINNT\system32\aaapttb\qkys.exe

#14
zelophedad

Posted 06 October 2005 - 12:43 PM

Member

Topic Starter
Member
30 posts

Hi again

I'm not sure if my bombarding you with more logs is helping or hurting, but here is the most recent after the Adaware run, which seemed to have found some malware
and yet, by the looks of this log, there still seems to be some bad apples in there.

Any ideas?

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:35:47 AM, on 10/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\Software\HJT\HijackThis199.exe

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {1D8D18FD-21A4-DC8B-E749-A72DD05B12FD} - C:\WINNT\system32\uucnalqt\rypnsuwh.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cbsam] C:\WINNT\system32\xjadleco\cbsam.exe
O4 - HKLM\..\Run: [acbr] C:\WINNT\system32\lymspiuw\acbr.exe
O4 - HKLM\..\Run: [agpyg] C:\WINNT\system32\ltsi\agpyg.exe
O4 - HKLM\..\Run: [uomk] C:\WINNT\system32\adputero\uomk.exe
O4 - HKLM\..\Run: [qkys] C:\WINNT\system32\aaapttb\qkys.exe
O4 - HKLM\..\Run: [sxjy] C:\WINNT\system32\kykovrhh\sxjy.exe
O4 - HKLM\..\Run: [kcovv] C:\WINNT\system32\dkdlch\kcovv.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\qqap.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: qkysaaapttb - Unknown owner - C:\WINNT\system32\aaapttb\qkys.exe

#15
greyknight17

Posted 06 October 2005 - 08:05 PM

Malware Expert

Visiting Consultant
16,560 posts

Please try not to post so many HijackThis logs like that...it's wasting space here and also not required. Just do whatever scans you want first and after you are ALL done, then run a new HijackThis scan and post the log.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop cmdService
sc delete cmdService
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {1D8D18FD-21A4-DC8B-E749-A72DD05B12FD} - C:\WINNT\system32\uucnalqt\rypnsuwh.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [cbsam] C:\WINNT\system32\xjadleco\cbsam.exe
O4 - HKLM\..\Run: [acbr] C:\WINNT\system32\lymspiuw\acbr.exe
O4 - HKLM\..\Run: [agpyg] C:\WINNT\system32\ltsi\agpyg.exe
O4 - HKLM\..\Run: [uomk] C:\WINNT\system32\adputero\uomk.exe
O4 - HKLM\..\Run: [qkys] C:\WINNT\system32\aaapttb\qkys.exe
O4 - HKLM\..\Run: [sxjy] C:\WINNT\system32\kykovrhh\sxjy.exe
O4 - HKLM\..\Run: [kcovv] C:\WINNT\system32\dkdlch\kcovv.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\qqap.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: qkysaaapttb - Unknown owner - C:\WINNT\system32\aaapttb\qkys.exe

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINNT\srchfst.dll
C:\WINNT\system32\uucnalqt\rypnsuwh.dll
C:\WINNT\system32\communicator.dll
C:\WINNT\system32\communicator.dll
C:\WINNT\srchfst.dll
C:\WINNT\system32\xjadleco\cbsam.exe
C:\WINNT\system32\lymspiuw\acbr.exe
C:\WINNT\system32\ltsi\agpyg.exe
C:\WINNT\system32\adputero\uomk.exe
C:\WINNT\system32\aaapttb\qkys.exe
C:\WINNT\system32\kykovrhh\sxjy.exe
C:\WINNT\system32\dkdlch\kcovv.exe
C:\Program Files\Common Files\Java\ftkcpy.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\system32\stb.exe
C:\WINNT\system32\qqap.dll
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\system32\aaapttb\qkys.exe
C:\WINNT\system32\uucnalqt\
C:\WINNT\system32\xjadleco\
C:\WINNT\system32\lymspiuw\
C:\WINNT\system32\ltsi\
C:\WINNT\system32\adputero\
C:\WINNT\system32\kykovrhh\
C:\WINNT\system32\dkdlch\
C:\program files\tvs\
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\
C:\WINNT\system32\aaapttb\

If you get a PendingOperations message, just close it and restart your computer manually.

Boot into Safe Mode and see if you can find and delete these folders:

C:\program files\tvs\
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\
C:\WINNT\system32\aaapttb\
C:\WINNT\system32\adputero\
C:\WINNT\system32\dkdlch\
C:\WINNT\system32\kykovrhh\
C:\WINNT\system32\ltsi\
C:\WINNT\system32\lymspiuw\
C:\WINNT\system32\uucnalqt\
C:\WINNT\system32\xjadleco\

Then I want you to run another Ewido scan and save the report.

Restart and run a new HijackThis scan. Save the log file and post it here along with the Ewido log.