[revenge100]

i just wish i could decipher all the info on the reports so i know wgat is good and bad!

[Advertisements]

daft question # 286!

Should i have cleansweep (internet and smart sweep) on my PC and if so should the logo have shades on it.

i can not remember seeing it before these problems.

This is quite a new PC so i am not sure about all the programs which came with it - since everything on it is licenced i was hoping that i would avoid getting infected this badly

[revenge100]

daft question # 286!

Should i have cleansweep (internet and smart sweep) on my PC and if so should the logo have shades on it.

i can not remember seeing it before these problems.

This is quite a new PC so i am not sure about all the programs which came with it - since everything on it is licenced i was hoping that i would avoid getting infected this badly

[don77]

Should i have cleansweep (internet and smart sweep) on my PC and if so should the logo have shades on it

Not a daft question at all, One of the infections you have disables some programs and wont let others run,
Hopefully in the next run here we will get it once and for all,

Better roll up your selves this is going to take some work

Read through the instructions if you have any questions go ahead and ask, I have to run out for a bit but before I go I want to make sure your all set
We need to download a couple programs first then most of this I want you to do off line and some while in safe mode,
So if you could print out or save these instructions to notepad so you have access to them that would be best,

Download the following programs please

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
Close out the program we will use it later



Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing webHancer.

We shouldn't have a problem with it but just in case, If after you have finished the following instructions you can not get back online simple run the LSPfix

In the event that you lose Internet access after removing Webhancer, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet.

Again don't do anything with this program unless you need to,


Download the DelDomains zip file and unzip it to your desktop.

DelDomains

Right-click on the deldomains.inf file and select 'Install'


Now lets get started,



First
Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Command Service (cmdService)


When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

cmdservice

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.


Next
After reboot

Go to Add/Remove programs and remove the following
Command
Internet Optimizer
Media-motor
MediaTickets By OIN
ScanToWeb
webHancer Customer Companion
webHancer Survey Companion

It should ask you to reboot your computer please do so, If it doesn't ask you please reboot anyway,
Again if you get an error saying the program is removed thats fine.


Next

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
Double check them to be sure you get them all please

R3 - URLSearchHook: (no name) - {59E1A3E2-1D5F-12A1-7797-67834A8ECFCD} - C:\WINDOWS\System32\lkchq.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {6CCC93E2-306C-2795-5AA7-57AE7ABEE2FD} - C:\WINDOWS\System32\lkchq.dll
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [Microsoft Conference] msconf.exe
O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\Run: [\SWO] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [uSot] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\eti.exe
O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [Uwbs] "C:\Program Files\ohil\mbma.exe" -vt mt
O4 - HKCU\..\Run: [Ggvh] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload137a.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c17.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljaGFyZCBCdXhiYXVt\command.exe (file missing)


Close out HJT please,
Open up Killbox
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\windows\timessquare.exe
C:\windows\mrjj.exe
C:\WINDOWS\eti.exe
C:\WINDOWS\System32\r?ndll.exe
C:\WINDOWS\System32\msgconfigrs.exe
C:\WINDOWS\System32\msconf.exe



Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.




Next Reboot into SAFE MODE
Search for and delete the Folders highlighted in Blue

C:\Program Files\Internet Optimizer\
C:\Program Files\webHancer\
C:\Program Files\Common Files\VCClient\
C:\Program Files\ohil\


Next
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click No.

Next
Open Ewido and run a scan with it again saving the log please,

Next
Open Ad-aware and run it as well have it fix all it finds,


Restart your computer,


Next
Please restart HJT and run a fresh scan, Post it back here for me please, Along with the Ewido scan

[revenge100]

i seem to be able to access all the links except the killbox site - the geekstogo page says i do not have access?

hopefully i should be able to work my way through the rest, if not you will soon hear about it!

hopefully i will make no cockups tho!

[don77]

strange I had no problem,
Anyway alt site here
http://www.softpedia...t-Killbox.shtml

[revenge100]

the good news is that this link seems good

is this a new problem for you, you said it was a new strain of a virus?

its only 7.30pm here so its nice and earlly.

i hope you have managed to get all your xmas shopping before getting involved with this problem

Edited by revenge100, 24 December 2005 - 01:23 PM.

[revenge100]

famous last words re:killbox, i click on the down load option and nothing happens :-(

lspfix is ok tho

the deldeaons link seems to just create as well ?

Edited by revenge100, 24 December 2005 - 01:35 PM.

[don77]

is this a new problem for you, you said it was a new strain of a virus?

One of the infections is, but it seem to go away pretty quietly,

its only 7.30pm here so its nice and earlly.

Great so hopefully you can get through the rest of this

i hope you have managed to get all your xmas shopping before getting involved with this problem

Nope I always do most of my xmas shopping on this day, did a bit last nite off to finish the rest now,

Should be back in a couple hours or less, I m what they call a power shopper know what I want and go and get it and get out quick

Catch you in a bit

[don77]

http://download.soft...ity/killbox.zip

Click that tell me if it works

[revenge100]

the page this sends me to has a title

403 FORBIDDEN - INCORRECT OR MISSING REFERRER FOR REQUESTED FILE

then it sends me to the home page - could this have anything to do with my security settings?

i will get cracking with the instuctions , i take it that it will be ok to do everything upto killbox?

good luck with your shopping :-)

Edited by revenge100, 24 December 2005 - 01:45 PM.

[don77]

http://www.downloads...org/KillBox.zip

That was my bad try this

[revenge100]

that seems to have worked :-)

any thoughts on deldomains or can that wait until i have done the rest?

Edited by revenge100, 24 December 2005 - 01:48 PM.

[don77]

sorry just noticed you edited it,
Save it to your desk top once its downloaded make sure you Right click on it and in the options choose install

[revenge100]

done,

i will get started now.

cheers again -

i am sure that any problems can wait!

[revenge100]

reports for you

i could not remove command it redirected me to this site http://command.adser...m/uninstall.php

internet optimizer would also not delete (i think)

i do not think i have the ad-aware down load so i have not done this


i hope your shopping has gone well or did you just

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:22:29, 06/12/2005
+ Report-Checksum: 8DD40644

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\webHancer -> Spyware.Webhancer : Cleaned with backup
HKLM\SOFTWARE\webHancer\CC -> Spyware.Webhancer : Cleaned with backup
HKLM\SOFTWARE\webHancer\ESO -> Spyware.Webhancer : Cleaned with backup
HKU\.DEFAULT\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-790525478-884357618-839522115-1003\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
[664] C:\WINDOWS\system32\MUIMRT16.DLL -> Spyware.Look2Me : Error during cleaning
[792] C:\WINDOWS\system32\MUIMRT16.DLL -> Spyware.Look2Me : Error during cleaning
C:\!KillBox\eti.exe -> Trojan.LowZones.am : Cleaned with backup
C:\!KillBox\mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\!KillBox\timessquare.exe -> Hijacker.StartPage.aw : Cleaned with backup
C:\Documents and Settings\Richard\Desktop\hijackthis\backups\backup-20051206-203657-583.dll -> Adware.WinAD : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.l : Cleaned with backup
C:\emoticonz.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\mmxeyn007.exe -> Downloader.VB.sh : Cleaned with backup
C:\pce.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\Internet Optimizer\optimize.exe -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\03056881.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\0D4245B0.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1A26607F.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1A9C1B7D.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1A9F457A.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1AA26F76.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1AA9436F.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1AAC6D6B.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1AAF1768.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1AB34164.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1AB66B61.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\3146587C.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\48CD4681.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\545E027F.exe -> Backdoor.SdBot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\6B7E7A7C.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\77752C83.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Program Files\whInstall\Webhdll.dll -> Spyware.WebHancer : Cleaned with backup
C:\Program Files\whInstall\WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\Program Files\whInstall\whiehlpr.dll -> Spyware.WebHancer : Cleaned with backup
C:\Program Files\whInstall\whInstaller.exe -> Spyware.WebHancer : Cleaned with backup
C:\Program Files\whInstall\WhSurvey.exe -> Spyware.WebHancer : Cleaned with backup
C:\RECYCLER\NPROTECT\00042644.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00042645.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00042918.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00042938.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00042961.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00042976.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043001.exe -> Logger.Agent.gk : Cleaned with backup
C:\RECYCLER\NPROTECT\00043002.dll -> Logger.Agent.gk : Cleaned with backup
C:\RECYCLER\NPROTECT\00043065.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00043066.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00043090.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043121.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043124.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043142.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043169.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043180.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043184.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043214.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043215.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043218.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043258.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043259.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043262.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043294.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043297.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043298.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043327.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043330.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043372.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043373.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043417.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043427.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043474.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043507.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043508.EXE -> Downloader.Adload.j : Cleaned with backup
C:\RECYCLER\NPROTECT\00043509.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043559.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00043610.OCX -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\drsmartload124a.exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\mm83.ocx -> Downloader.VB.ov : Cleaned with backup
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.EI : Cleaned with backup
C:\WINDOWS\pi1_25.exe -> Downloader.Small.afq : Cleaned with backup
C:\WINDOWS\PMET.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\SWO.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\system32\ahadix16.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ajitrap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ammpvcno.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\awpmgmts.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\bNtt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\c4000edmeh0a0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cnmodem.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\system@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ADIBCTUJ\876029[1].exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ADIBCTUJ\drsmartload_js[1].htm -> Downloader.IstBar.j : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ADIBCTUJ\optimize[1].exe -> Downloader.Dyfuca.EI : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q7Q98R6V\drsmartload137a[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q7Q98R6V\ei[1].exe -> Downloader.Small.bgl : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q7Q98R6V\emoticons[1].exe -> Trojan.LowZones.cf : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q7Q98R6V\mm63[1].ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q7Q98R6V\mm83[1].ocx -> Downloader.VB.ov : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q7Q98R6V\whCC-GIANT[1].exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RA96CQ4F\mmxeyn007[1].exe -> Downloader.VB.sh : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RA96CQ4F\pc[1].exe -> Trojan.LowZones.ct : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z9RMX6E1\mrj[1].exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z9RMX6E1\pi1_25[1].exe -> Downloader.Small.afq : Cleaned with backup
C:\WINDOWS\system32\des_32.dll -> Logger.Agent.gk : Cleaned with backup
C:\WINDOWS\system32\des_32.exe -> Logger.Agent.gk : Cleaned with backup
C:\WINDOWS\system32\dn2q01f5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\drao35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dvtmsft.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\en20l1fm1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\enrml1911.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gp8ql3l51.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hdink.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hyicons.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iBsrecst.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ioxpromn.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\j06mlaj11do.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mfdmo.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mmcsubs.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvn4l95q1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mzwmdmsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nstrap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\o6ro0g93e6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oie2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rEssapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sdclient.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\smrrun.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\WinDmy.dll -> Spyware.Getmirar : Cleaned with backup
C:\WINDOWS\system32\wmavusd.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 21:25:50, on 06/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Richard\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {59E1A3E2-1D5F-12A1-7797-67834A8ECFCD} - C:\WINDOWS\System32\lkchq.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\m6460ghse6460.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe