Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

NewgenLook, Param32.dll....Help [RESOLVED]

Started by neatstatus , Dec 01 2005 12:50 AM

This topic is locked

#1
neatstatus

Posted 01 December 2005 - 12:50 AM

Member

Member
44 posts

Good day,

For a while my computer has been showing some unwanted site links on the desktop. It has "Britney Spears, Cigarettes, Car insurance" etc which keep poping up after i delete them. My pc also pops-up with something called "Newgenlook" as part of the link title with disturbing pornographic images. There is also "SpyAxe" (which is supposed to be a Spy remover program, but it keeps re-installing itself after i uninstall it. This program also shows constantly flashing icon saying this pc has been infected with a virus). I found out that my pc contained Param32.dll, svchosts.exe and some other things i'm not sure of...

This is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:48:09 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\CA_LIC\lic98rmt.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1132701542\ee\aolsoftware.exe
c:\program files\common files\aol\1132701542\ee\aexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1132701542\ee\aexplore.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hpBCD3.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [EasyMessage] "C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe" -wait
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...vp/content.html
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.lawbullet...sses/CFJava.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reall...m/CrazyTalk.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcas...ostClientIE.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.zango.com...oad/zangoax.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dirinc.webex...ort/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dirinc.co...dir/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Voicent Gateway (VoicentGateway) - Voicent Communications, Inc - C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe

I'd appreciate any help at all to help stop all the abnormal things.

Thanks.

#2
Buckeye_Sam

Posted 03 December 2005 - 11:11 AM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

#3
neatstatus

Posted 03 December 2005 - 07:49 PM

Member

Topic Starter
Member
44 posts

Thanks for the reply.

This is a new log (though i haven't done anything to my pc since the last one)

Logfile of HijackThis v1.99.1
Scan saved at 7:46:50 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CA_LIC\lic98rmt.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1132701542\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1132701542\ee\aexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.newgenlook.info/ad/ad0058/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} -

C:\WINDOWS\system32\hpAB96.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} -

C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

/auto
O4 - HKLM\..\Run: [EasyMessage] "C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe" -wait
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -

https://components.v...rl=http://www.v

iewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.07.02&unknown&

unknown&http://www.gameboyad...vp/content.html
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) -

http://www.lawbullet...sses/CFJava.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) -

http://plug-in.reall...m/CrazyTalk.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) -

https://vhost.oddcas...ostClientIE.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -

file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) -

http://www.zango.com...oad/zangoax.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -

file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...pDownloader.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice

American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -

file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client

v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://dirinc.webex...ort/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -

http://www.dirinc.co...dir/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcaf...n/2,0,0,4474/mc

fscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -

file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates

International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates

International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program

Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates -

C:\CA_LIC\LogWatNT.exe
O23 - Service: Voicent Gateway (VoicentGateway) - Voicent Communications, Inc -

C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe

#4
Buckeye_Sam

Posted 03 December 2005 - 07:58 PM

Malware Expert

Member
10,019 posts

Please adjust your formatting when you post your next log. It's very difficult to read like that.

Check for the existence of these files. Let me know if you have them.

C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\popup_bl.dll

Run msconfig and enable all startup items.

Please download Ewido Security Suite it is a trial version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net...wnload/updates/

Once the updates are installed do the following:

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Reboot your computer and post a new hijackthis log and the log from Ewido.

#5
neatstatus

Posted 04 December 2005 - 01:15 AM

Member

Topic Starter
Member
44 posts

I'm sorry about the fonts i used earlier.

This is the new hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:11:03 AM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\CA_LIC\lic98rmt.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\Ewido(trail)\security suite\ewidoctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1132701542\ee\AOLSoftware.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\Program Files\SJLabs\SJphone\SJphone.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BHODemon 2\BHODemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hp99EE.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [EasyMessage] "C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe" -wait
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zanu] c:\program files\zangoclient\zanu.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132701542\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Free Cellular Alarm.lnk = C:\Documents and Settings\Ona\My Documents\liSA\myAlarms\fca.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Talking Buddy.lnk = C:\Program Files\Talking Bud\talkingb.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: StanaPhone.lnk = ?
O4 - Global Startup: SysTray.lnk = ?
O4 - Global Startup: VoipBuster.lnk = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...vp/content.html
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.lawbullet...sses/CFJava.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reall...m/CrazyTalk.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcas...ostClientIE.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dirinc.webex...ort/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dirinc.co...dir/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\Ewido(trail)\security suite\ewidoctrl.exe
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Voicent Gateway (VoicentGateway) - Voicent Communications, Inc - C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe

This is the Ewido log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:00:28 AM, 12/4/2005
+ Report-Checksum: AEE222D

+ Scan result:

HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
[3288] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Cleaned with backup
[1684] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2996] C:\program files\zangoclient\zanu.exe -> Spyware.180Solutions : Cleaned with backup
[3584] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[3708] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[812] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2108] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2316] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2340] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[3748] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[3084] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2428] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[244] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2116] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2312] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
[2816] c:\program files\zangoclient\zanuhook.dll -> Spyware.180Solutions : Error during cleaning
:mozilla.6:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Ona\Application Data\Mozilla\Firefox\Profiles\e63ifhfk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\ona@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\ona@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\ona@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ona\Cookies\ona@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Popularix : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\ona@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\res1E0.tmp/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\res1E0.tmp/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Ona\Local Settings\Temp\res1E2.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Downloads\LetsExploretheAirport-dm[1].exe -> Spyware.Trymedia : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Zango Applications\Zango Messenger\ZangoInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Zango Applications\Zango Messenger\ZangoInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\ZangoClient\zanu.exe -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\ZangoClient\zanuhook.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\system32\1024\ldDA86.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\guninst.exe -> Spyware.Serpo : Cleaned with backup
C:\WINDOWS\system32\hp454F.tmp -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\hpAB96.tmp -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\param32.dll -> Downloader.WarSpy.g : Cleaned with backup

::Report End

Edited by neatstatus, 04 December 2005 - 01:16 AM.

#6
Buckeye_Sam

Posted 04 December 2005 - 11:15 AM

Malware Expert

Member
10,019 posts

Please follow these steps:

Please make sure that you can View Hidden Files
- Click Start -> My Computer
- Select Tools -> Folder options
- Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
- Also make sure that 'Display the contents of system folders' is checked.
- Make sure "Hide extensions for known file types" is unchecked
- Make sure "Hide protected operating system files (recommended)" is unchecked
- For more info on how to show hidden files click here.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hp99EE.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [EasyMessage] "C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe" -wait
O4 - HKLM\..\Run: [zanu] c:\program files\zangoclient\zanu.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...vp/content.html
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reall...m/CrazyTalk.cab
Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- If you have trouble getting into Safe mode go here for more info.
Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\system32\hp99EE.tmp
C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\popup_bl.dll

Reboot your computer to go back to normal mode.

Now I need to see a different type of log from Hijackthis

Run Hijackthis.
Click on "Open the Misc Tools section".
Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file.
Place the content of that file here in your in your next reply.

#7
neatstatus

Posted 04 December 2005 - 01:23 PM

Member

Topic Starter
Member
44 posts

Thanks.

3ivx D4 4.5.1 (remove only)
Adobe Acrobat 6.0.1 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Araneae 4.5.2
Architectural Object Enabler 3.30
AutoCAD LT 2002
BHODemon 2.0.0.22
Boldcenter Operator Client .NET
BoyCott Advance/SDL 0.2.6 WIN32 (remove only)
CA eTrust Antivirus
CA eTrust PestPatrol
Candy Wrapper Designer Pro.
CD LabelCorp's CD Designs Creator
Diskeeper Professional Edition
ewido security suite
Ezonics Greeting Cam Deluxe
EZPhoto Browser
EZPhoto Tools
EZShowtime MMS
EZSuite For Video Chat Kit
EZVideo Chat 2.0
EZVideo Mail
File, Print FedEx Kinko's
Flipz IV Flash
Free Cellular Alarm Version 1.08
Futuremark Measurement Services Client
Google Desktop Search
HijackThis 1.99.1
hp officejet v series
ImageMixer VCD2
iPod for Windows 2005-03-23
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Lemonade Tycoon 2
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark Printer Software Uninstall
LimeWire 4.9.7
Macromedia Flash Player
Mario Kart DS Screen Saver
MDP3880-W(U) PCI Modem
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Office Standard Edition 2003
Microsoft Office XP Small Business
Microsoft PowerPoint Viewer 97
Microsoft Windows Journal Viewer
ModemBoost Demo
MSN Messenger 7.0
MSN Music Assistant
MSN Toolbar
MTV Networks Video Optimizer
Opera
OZ
Picasa 2
Picture Package
PPLive 1.0.7.4
ppStream 1.0.0.98
QuickTime
RealPlayer
Registry Mechanic
RISA-2D
Security Toolbar
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Shockwave
Skype 1.2
Sonic Foundry ACID 4.0
Sony USB Driver
Spelling Dictionaries For Adobe Reader Package
SpyAxe 3.0
StanaPhone
Structural Engineering Library
Talking Buddy for Windows
The Weather Channel
Thrustworld Client Software
Turbo Lister
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
USB PC Camera
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Voicent Gateway
Web Picture Creator 1.50
WebEx
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
Zango Messenger
Zango Search Assistant

#8
Buckeye_Sam

Posted 04 December 2005 - 05:08 PM

Malware Expert

Member
10,019 posts

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

Security Toolbar
SpyAxe 3.0
Talking Buddy for Windows
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Zango Messenger
Zango Search Assistant

Download the attached file and extract it to your desktop. Double click on folder.bat and wait a couple seconds. It will open up a report with notepad. Please copy that text and paste it here in your next reply.

#9
neatstatus

Posted 04 December 2005 - 05:27 PM

Member

Topic Starter
Member
44 posts

Folders found in C:\Documents and Settings\Ona\Application Data
-------------------------------------------------------------------
acccore
Adobe
AdobeAUM
AdobeUM
Aim
Apple Computer
Downloaded Installations
DPlot
Google
Help
Identities
Jamdat
Kinko's
Lavasoft
Leadertech
Macromedia
Microsoft
Mozilla
NetMedia Providers
Opera
OZ Intermedia
ppStream
Publish Providers
Real
Skype
Sonic Foundry
Sun
Talkback
Yahoo!
Yahoo! Messenger

Folders found in C:\Documents and Settings\All Users\Application Data
-------------------------------------------------------------------
Adobe
AOL
AOL Downloads
Apple Computer
CA
InstallShield
McAfee.com
Microsoft
NETg
QuickTime
Skype
Spybot - Search & Destroy
Windows Genuine Advantage
Yahoo!
Yahoo! Companion

Folders found in C:\Program Files
---------------------------------
Adobe
AIM
Alwil Software
AOD
AOL
AutoCAD LT 2002
Autodesk Architectural Desktop 3
AWS
BHODemon 2
Boldcenter
CA
Candy Wrapper Designer Pro
CD LabelCorp's CD Designs Creator
Codemasters
Common Files
ComPlus Applications
directx
DPlot
eBay
EuroTool
Executive Software
EZbundle
EZPhoto Browser 2.1
EZShowtime MMS 1.1
EZSuite For Video Chat Kit
Flipz4Flash
Google
Hewlett-Packard
HostingDude.com Domain Tools
Infogrames
InstallShield Installation Information
InterMute
Internet Explorer
Intuit
iPod
iTunes
Java
Kinko's
Lavasoft
Lexmark
LimeWire
Messenger
MGI
Microsoft ActiveSync
Microsoft AntiSpyware
microsoft frontpage
Microsoft Office
Microsoft Visual Studio
Microsoft.NET
MobileForces
ModemBoost
Movie Maker
Mozilla Firefox
MSN
MSN Apps
MSN Gaming Zone
MSN Messenger
MsnMusic
MTV Networks
NetMeeting
OfficeUpdate
Oni
Online Services
Opera
Outlook Express
pcamats
Picasaphotosoftware2
PIXELA
PowerPoint Viewer
PPLive
ppStream
QuickTime
Real
Registry Mechanic
SJLabs
Sonic Foundry
Sony Corporation
Spybot - Search & Destroy
Spyware Doctor
talkingbuddy
The Weather Channel
TryMedia
Uninstall Information
VanillaBaby-GAPsoft Corporation
Viewpoint
VoipBuster.com
Web Picture Creator
Windows Journal Viewer
Windows Media Components
Windows Media Player
Windows NT
WindowsUpdate
WinZip
wmv_vcm
xerox
Yahoo!
Zango Applications
ZangoClient

Folders found in C:\Program Files\Common Files
----------------------------------------------
Adobe
AOL
Autodesk Shared
DESIGNER
InstallShield
Intuit
Java
L&H
Microsoft Shared
MSSoap
muvee Technologies
Nullsoft
ODBC
Real
Scanner
Services
SpeechEngines
System
Wextech Shared
Wise Installation Wizard
xing shared

#10
Buckeye_Sam

Posted 05 December 2005 - 04:16 PM

Malware Expert

Member
10,019 posts

Please delete these folders.

C:\Program Files\talkingbuddy
C:\Program Files\Viewpoint
C:\Program Files\Zango Applications
C:\Program Files\ZangoClient

Download SpyAxeFix.exe © noahdfear, and save it to your desktop.

Close all other programs and windows.
Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder.
Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool.
At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes.
A text file named spyaxe.txt will be created in the SpyAxeFix folder.
Post the contents of that log please.

Please run Panda Online Virus Scan

You must allow the active-x control to run when asked.
You may need to disable your antivirus program while this scan runs.
There may be files that this scan will not remove.
Please include that information in your next post.
Make sure to reenable your antivirus program if you disabled it.

Reboot and post a new hijackthis log, the log from the SpyAxe removal tool, and the info from your virus scan.

#11
neatstatus

Posted 06 December 2005 - 12:44 AM

Member

Topic Starter
Member
44 posts

Thanks for the help.

New Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:55 AM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CA_LIC\lic98rmt.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\Ewido(trail)\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1132701542\ee\AOLSoftware.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\SJLabs\SJphone\SJphone.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp20F8.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132701542\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Free Cellular Alarm.lnk = C:\Documents and Settings\Ona\My Documents\liSA\myAlarms\fca.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: StanaPhone.lnk = ?
O4 - Global Startup: SysTray.lnk = ?
O4 - Global Startup: VoipBuster.lnk = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...vp/content.html
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.lawbullet...sses/CFJava.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcas...ostClientIE.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dirinc.webex...ort/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dirinc.co...dir/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\Ewido(trail)\security suite\ewidoctrl.exe
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Voicent Gateway (VoicentGateway) - Voicent Communications, Inc - C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe

Log from SpyAxeRemoval tool

SpyAxeFix © by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/05/2005
The current time is: 21:03:37.22

svchosts.dll present
1024 directory present

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

Info from Virus Scan.

Incident Status Location

Adware:adware/spyaxe Not disinfected C:\WINDOWS\system32\hpB2E3.tmp
Adware:adware/securityerror Not disinfected C:\WINDOWS\system32\nvctrl.exe
Adware:adware/hotoffers Not disinfected C:\WINDOWS\SYSTEM32\Air Tickets.ico
Adware:adware/spyaxe Not disinfected C:\WINDOWS\SYSTEM32\hpB2E3.tmp
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\mscornet.exe
Spyware:spyware/spyblocs Not disinfected C:\Documents and Settings\Ona\Desktop\Remove Spyware.url
Adware:adware/securitytoolbar Not disinfected C:\PROGRAM FILES\Security Toolbar
Adware:adware/ncase Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-1d5d1ed4-130eedde.zip[Counter.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-1d5d1ed4-130eedde.zip[Gummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-1d5d1ed4-130eedde.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-1d5d1ed4-130eedde.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-1d5d1ed4-130eedde.zip[Xeyond.class]
Virus:Trj/Lowzones.IH Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-1d5d1ed4-130eedde.zip[web.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-66a18b46-5e06ee4f.zip[Counter.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-66a18b46-5e06ee4f.zip[Gummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-66a18b46-5e06ee4f.zip[VerifierBug.class]
Virus:Trj/Lowzones.KI Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-66a18b46-5e06ee4f.zip[web.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-66a18b46-5e06ee4f.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ona\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-66a18b46-5e06ee4f.zip[Xeyond.class]

#12
Buckeye_Sam

Posted 06 December 2005 - 05:49 PM

Malware Expert

Member
10,019 posts

Please delete these files.

C:\WINDOWS\system32\hpB2E3.tmp
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\SYSTEM32\Air Tickets.ico
C:\WINDOWS\SYSTEM32\hpB2E3.tmp
C:\WINDOWS\SYSTEM32\mscornet.exe
C:\Documents and Settings\Ona\Desktop\Remove Spyware.url
C:\PROGRAM FILES\Security Toolbar <-- delete this folder

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp20F8.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll

Please download SmitRem

Save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

* if you have trouble getting into Safe mode go here for more info.

Once in Safe mode, follow these steps:

Open the smitRem folder, then double click the RunThis.bat file to start the tool.
Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Post the log file from Smitrem as well as a new hijackthis log.

#13
neatstatus

Posted 06 December 2005 - 06:44 PM

Member

Topic Starter
Member
44 posts

Hey. I don't want to sound stupid, but i can't delete
C:\WINDOWS\SYSTEM32\mscornet.exe
C:\WINDOWS\system32\nvctrl.exe"

Because the pc keeps saying "The file is being used by another person or program. Close down any programs that might be using the file and start again".

How do i detect what programs are using those files?

Also, the pc says it can't find this file.
C:\WINDOWS\system32\hpB2E3.tmp

So i'm guessing its no more on my system.

Please help me with the steps to delete those files above.
I appretiate all the help.

#14
Buckeye_Sam

Posted 07 December 2005 - 04:56 PM

Malware Expert

Member
10,019 posts

Go ahead and follow these steps to get rid of those files.

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
- C:\WINDOWS\SYSTEM32\mscornet.exe
  C:\WINDOWS\system32\nvctrl.exe
Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your system will reboot now.

#15
neatstatus

Posted 08 December 2005 - 07:04 PM

Member

Topic Starter
Member
44 posts

Thanks for the step by step info!

This is the "smit text".

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/08/2005
The current time is: 18:44:33.31

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Security Troubleshooting.url
Online Security Center.url
Security Troubleshooting.url
Online Security Center.url
Air Tickets.url
Big Tits.url
Blackjack.url
Britney Spears.url
Car Insurance.url
Credit Card.url
Cruises.url
Lesbian Sex.url
MP3.url
Online Betting.url
Oral Sex.url
Party Poker.url
Pharmacy.url
Phentermine.url
job Pornstars.url
viagra.url

~~~ Favorites ~~~

Take It Here - Daily Updated [bleep] Links.url
Take It Here - Daily Updated [bleep] Links.url
Free XXX Sites List.url
Antivirus Test Online.url

~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
mscornet.exe
logfiles

~~~ Icons in System32 ~~~

ts.ico
ot.ico
Big Tits
Blackjack
Britney Spears
Car Insurance
Credit Card
Cruises
Lesbian Sex
MP3
Online Betting
Oral Sex
Party Poker
Pharmacy
Phentermine
Pornstars
Remove Spyware
viagra

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 716 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

Hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 7:03:47 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\CA_LIC\lic98rmt.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\Ewido(trail)\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\Common Files\AOL\1132701542\ee\AOLSoftware.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\SJLabs\SJphone\SJphone.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132701542\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SnapDetect.lnk = ?
O4 - Global Startup: StanaPhone.lnk = ?
O4 - Global Startup: SysTray.lnk = ?
O4 - Global Startup: VoipBuster.lnk = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...vp/content.html
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.lawbullet...sses/CFJava.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcas...ostClientIE.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dirinc.webex...ort/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dirinc.co...dir/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...474/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Ona\Desktop\Somto\instrumentalsAcid\Spyfighters\Ewido(trail)\security suite\ewidoctrl.exe
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Voicent Gateway (VoicentGateway) - Voicent Communications, Inc - C:\Documents and Settings\Ona\My Documents\liSA\bin\vgate.exe