Please analyze!!

Status
Not open for further replies.
C

Christie Achor

Solid State Member
Messages
8
Help please! I have ran TDS-3, Spybot search and destroy, and SPY Doctor all in Safe Mode and I am still getting pop ups!! Please take a look at my hijack this log and tell me what to do....I am at a complete loss! I get so many pop ups I cannot work!

Thanks In advance!

Logfile of HijackThis v1.99.0
Scan saved at 12:45:20 PM, on 2/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\WINNT\system32\MsiExec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.436\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\Cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://access01.mmlive.com/msrdp.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
 
Christie,

Welcome to the Tech-Forums
I will be reviewing your HJT log.
Please follow these instructions exactly step by step.

You have the latest version of VX2. Download L2mfix from one of these
two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
 
Thanks rstones12

Here is the result after following your instructions...

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m2rm0c91ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5D7031FC-B9CE-4480-AB2E-8ED18DBD736F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}"="Registered ActiveX Controls"
"{D545EBD1-BD92-11CF-8772-00A0C9039735}"="Developer Studio Components"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extention"
"{0D302F2C-8EA6-11CE-B035-444553540000}"="pcANYWHERECallerShellExt"
"{92A681A0-9f0D-11CE-B035-444553540000}"="pcANYWHERECallerPage"
"{DF44ACC1-972F-11CE-B035-444553540000}"="pcANYWHERERemoteCtrlShellExt"
"{92a681a1-9f0d-11CE-B035-444553540000}"="pcANYWHERERemoteCtrlPage"
"{DF44ACC2-972F-11CE-B035-444553540000}"="pcANYWHEREBeHostExt"
"{92A681A2-9f0D-11CE-B035-444553540000}"="pcANYWHEREBeHostPage"
"{DF44ACC3-972F-11CE-B035-444553540000}"="pcANYWHEREOnlineSvcExt"
"{92A681A3-9f0D-11CE-B035-444553540000}"="pcANYWHEREOnlineSvcPage"
"{DF44ACC4-972F-11CE-B035-444553540000}"="pcANYWHEREGatewayExt"
"{92A681A4-9f0D-11CE-B035-444553540000}"="pcANYWHEREGatewayPage"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{6ec2e0e3-1116-4d47-b0c2-5bdaf4e4c308}"="eFax Messenger Plus - Shell Extension"
"{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}"=""
"{FEC2EBFF-B133-4277-AC72-630CDDED6411}"=""
"{9B65C3AB-E41B-41DD-86A5-3B58AB858E8B}"=""
"{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}"=""
"{E12C5BEF-57C9-11D3-81C5-84C708FD407A}"="DiamondCS WormGuard Hook"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}\InprocServer32]
@="C:\\WINNT\\system32\\ansldpc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}\InprocServer32]
@="C:\\WINNT\\system32\\inircl.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
2ndsrch.dll Thu Dec 23 2004 2:31:04p A.... 69,632 68.00 K
aza007~1.dll Mon Feb 7 2005 8:11:54p ..S.R 223,027 217.80 K
aza603~1.dll Wed Feb 9 2005 11:26:26a ..S.R 223,986 218.73 K
danet.dll Tue Jan 18 2005 5:16:34p ..S.R 223,169 217.94 K
dbdref.dll Sun Jan 30 2005 5:57:54p ..S.R 222,974 217.75 K
docore.dll Mon Jan 24 2005 9:11:40p A.... 151,552 148.00 K
dolsp.dll Sat Jan 15 2005 5:26:28p A.... 139,264 136.00 K
dosync.dll Fri Feb 4 2005 3:38:00a A.... 114,688 112.00 K
flxdrv.dll Tue Jan 18 2005 5:10:42p A.... 224,678 219.41 K
fp4603~1.dll Tue Feb 8 2005 2:18:30p ..S.R 223,670 218.43 K
fp4o03~1.dll Tue Jan 18 2005 9:50:00p ..S.R 224,678 219.41 K
fp6803~1.dll Thu Jan 20 2005 8:31:18p ..S.R 225,991 220.69 K
fp6s03~1.dll Wed Feb 2 2005 5:47:42p ..S.R 223,790 218.54 K
fp8o03~1.dll Fri Jan 21 2005 12:23:36a ..S.R 225,511 220.22 K
g440le~1.dll Mon Feb 7 2005 3:52:46p ..S.R 223,027 217.80 K
g840li~1.dll Mon Jan 24 2005 7:53:14p ..S.R 224,022 218.77 K
h2n00c~1.dll Tue Jan 25 2005 10:00:10a ..S.R 223,026 217.80 K
i8420i~1.dll Wed Feb 16 2005 12:12:00a ..S.R 224,981 219.71 K
inircl.dll Wed Feb 16 2005 12:24:46p ..... 223,027 217.80 K
ir4sl5~1.dll Wed Feb 2 2005 11:59:16a ..S.R 224,772 219.50 K
irrul5~1.dll Thu Jan 27 2005 5:18:22p ..S.R 224,969 219.70 K
jt4o07~1.dll Sun Jan 30 2005 6:03:56p ..S.R 222,974 217.75 K
jt6007~1.dll Tue Jan 25 2005 11:13:50p ..S.R 223,041 217.81 K
jtj007~1.dll Fri Feb 4 2005 4:41:44p ..S.R 223,044 217.82 K
kt20l7~1.dll Thu Feb 3 2005 1:13:52p ..S.R 224,054 218.80 K
l02sla~1.dll Thu Feb 3 2005 10:49:08a ..S.R 224,747 219.48 K
lkrt.dll Tue Feb 15 2005 11:25:00p ..S.R 224,981 219.71 K
lscalui.dll Tue Jan 18 2005 4:11:32p ..S.R 225,819 220.52 K
m2rm0c~1.dll Tue Feb 15 2005 9:38:52p ..S.R 223,027 217.80 K
mvr4l9~1.dll Fri Jan 21 2005 2:11:10a ..S.R 222,957 217.73 K
n4r2le~1.dll Wed Feb 2 2005 2:51:36p ..S.R 224,321 219.06 K
njdskcc.dll Tue Jan 18 2005 5:35:58p ..S.R 223,169 217.94 K
opboio.dll Wed Dec 29 2004 2:13:52p A.... 24,576 24.00 K
pqm.dll Tue Jan 18 2005 9:24:00p A.... 224,678 219.41 K
rdnh.dll Fri Jan 28 2005 12:21:44p ..S.R 223,027 217.80 K
rxsctrs.dll Mon Jan 17 2005 9:18:58p ..S.R 224,678 219.41 K
smprfdll.dll Fri Jan 28 2005 12:03:48p ..S.R 222,974 217.75 K
sp3res.dll Thu Dec 2 2004 6:27:18a ..... 6,272,512 5.98 M
sporder.dll Sun Dec 12 2004 4:33:26p A.... 8,464 8.27 K
stbcsp.dll Tue Jan 18 2005 5:25:08p A.... 224,678 219.41 K
t4r80e~1.dll Wed Feb 9 2005 2:23:02p ..S.R 223,921 218.67 K
t8r80i~1.dll Mon Feb 14 2005 1:02:24a ..S.R 223,925 218.68 K
user32.dll Wed Dec 29 2004 1:14:10a A.... 380,688 371.77 K
wtspdmoe.dll Mon Jan 17 2005 3:33:50p ..S.R 224,678 219.41 K
wyver.dll Thu Dec 23 2004 2:31:56p A.... 99,328 97.00 K
yuoyly.dll Sun Jan 16 2005 1:05:34p A.... 5,632 5.50 K

46 items found: 46 files (32 H/S), 0 directories.
Total of file sizes: 15,330,327 bytes 14.62 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Wed Feb 16 2005 12:25:46p A.... 223,027 217.80 K

1 item found: 1 file, 0 directories.
Total of file sizes: 223,027 bytes 217.80 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Local Disk
Volume Serial Number is 2419-48F5

Directory of C:\WINNT\System32

02/16/2005 12:11a 224,981 i8420ihoe84c0.dll
02/15/2005 11:24p 224,981 lkrt.dll
02/15/2005 09:38p 223,027 m2rm0c91ef.dll
02/14/2005 01:02a 223,925 t8r80i9ue8.dll
02/09/2005 02:23p 223,921 t4r80e9ueh.dll
02/09/2005 11:26a 223,986 aza603hse.dll
02/08/2005 02:18p 223,670 fp4603hse.dll
02/07/2005 08:11p 223,027 aza007jme.dll
02/07/2005 03:52p 223,027 g440lehm1h4a.dll
02/04/2005 04:41p 223,044 jtj0071me.dll
02/03/2005 01:13p 224,054 kt20l7fm1.dll
02/03/2005 10:49a 224,747 l02slaf71d2.dll
02/02/2005 05:47p 223,790 fp6s03j7e.dll
02/02/2005 02:51p 224,321 n4r2le9o1h.dll
02/02/2005 11:59a 224,772 ir4sl5h71.dll
01/30/2005 06:03p 222,974 jt4o07h3e.dll
01/30/2005 05:57p 222,974 dBdref.dll
01/28/2005 12:21p 223,027 rdnh.dll
01/28/2005 12:03p 222,974 smprfdll.dll
01/27/2005 05:18p 224,969 irrul5991.dll
01/25/2005 11:13p 223,041 jt6007jme.dll
01/25/2005 10:00a 223,026 h2n00c5mef.dll
01/24/2005 07:53p 224,022 g840lihm184a.dll
01/21/2005 02:11a 222,957 mvr4l99q1.dll
01/21/2005 12:23a 225,511 fp8o03l3e.dll
01/20/2005 08:31p 225,991 fp6803jue.dll
01/18/2005 09:49p 224,678 fp4o03h3e.dll
01/18/2005 05:35p 223,169 njdskcc.dll
01/18/2005 05:17p 554 TBPS.ini
01/18/2005 05:16p 223,169 danet.dll
01/18/2005 04:11p 225,819 lscalui.dll
01/18/2005 12:13a <DIR> dllcache
01/17/2005 09:18p 224,678 rXsctrs.dll
01/17/2005 03:33p 224,678 wtspdmoe.dll
33 File(s) 7,167,484 bytes
1 Dir(s) 1,992,863,744 bytes free
 
Christie Achor,

Thanks, OK lets move on to step 2, like the last post, do exactly as the direction show.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Thanks,
rstones12
 
HI rstones12,

OK I followed the instructions EXACTLY and here is the log file...

L2Mfix 1.02b

Running From:
C:\Documents and Settings\christie.BADMIMI\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\christie.BADMIMI\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\christie.BADMIMI\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1184 'explorer.exe'
Killing PID 1184 'explorer.exe'
Error 0x5 : Access is denied.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1700 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\aza007jme.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aza603hse.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\danet.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dBdref.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fLxdrv.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp4603hse.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp4o03h3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp6803jue.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp6s03j7e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp8o03l3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\g440lehm1h4a.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\g840lihm184a.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\h2n00c5mef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\i8420ihoe84c0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ir4sl5h71.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\irrul5991.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jt4o07h3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jt6007jme.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jtj0071me.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kt20l7fm1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l02slaf71d2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lkrt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lscalui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lzdis11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvr4l99q1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\n4r2le9o1h.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\njdskcc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\PQM.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\rdnh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rXsctrs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\smprfdll.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\stbcsp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\t4r80e9ueh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\t8r80i9ue8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wtspdmoe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\aza007jme.dll
Successfully Deleted: C:\WINNT\system32\aza007jme.dll
deleting: C:\WINNT\system32\aza603hse.dll
Successfully Deleted: C:\WINNT\system32\aza603hse.dll
deleting: C:\WINNT\system32\danet.dll
Successfully Deleted: C:\WINNT\system32\danet.dll
deleting: C:\WINNT\system32\dBdref.dll
Successfully Deleted: C:\WINNT\system32\dBdref.dll
deleting: C:\WINNT\system32\fLxdrv.dll
Successfully Deleted: C:\WINNT\system32\fLxdrv.dll
deleting: C:\WINNT\system32\fp4603hse.dll
Successfully Deleted: C:\WINNT\system32\fp4603hse.dll
deleting: C:\WINNT\system32\fp4o03h3e.dll
Successfully Deleted: C:\WINNT\system32\fp4o03h3e.dll
deleting: C:\WINNT\system32\fp6803jue.dll
Successfully Deleted: C:\WINNT\system32\fp6803jue.dll
deleting: C:\WINNT\system32\fp6s03j7e.dll
Successfully Deleted: C:\WINNT\system32\fp6s03j7e.dll
deleting: C:\WINNT\system32\fp8o03l3e.dll
Successfully Deleted: C:\WINNT\system32\fp8o03l3e.dll
deleting: C:\WINNT\system32\g440lehm1h4a.dll
Successfully Deleted: C:\WINNT\system32\g440lehm1h4a.dll
deleting: C:\WINNT\system32\g840lihm184a.dll
Successfully Deleted: C:\WINNT\system32\g840lihm184a.dll
deleting: C:\WINNT\system32\h2n00c5mef.dll
Successfully Deleted: C:\WINNT\system32\h2n00c5mef.dll
deleting: C:\WINNT\system32\i8420ihoe84c0.dll
Successfully Deleted: C:\WINNT\system32\i8420ihoe84c0.dll
deleting: C:\WINNT\system32\ir4sl5h71.dll
Successfully Deleted: C:\WINNT\system32\ir4sl5h71.dll
deleting: C:\WINNT\system32\irrul5991.dll
Successfully Deleted: C:\WINNT\system32\irrul5991.dll
deleting: C:\WINNT\system32\jt4o07h3e.dll
Successfully Deleted: C:\WINNT\system32\jt4o07h3e.dll
deleting: C:\WINNT\system32\jt6007jme.dll
Successfully Deleted: C:\WINNT\system32\jt6007jme.dll
deleting: C:\WINNT\system32\jtj0071me.dll
Successfully Deleted: C:\WINNT\system32\jtj0071me.dll
deleting: C:\WINNT\system32\kt20l7fm1.dll
Successfully Deleted: C:\WINNT\system32\kt20l7fm1.dll
deleting: C:\WINNT\system32\l02slaf71d2.dll
Successfully Deleted: C:\WINNT\system32\l02slaf71d2.dll
deleting: C:\WINNT\system32\lkrt.dll
Successfully Deleted: C:\WINNT\system32\lkrt.dll
deleting: C:\WINNT\system32\lscalui.dll
Successfully Deleted: C:\WINNT\system32\lscalui.dll
deleting: C:\WINNT\system32\lzdis11n.dll
Successfully Deleted: C:\WINNT\system32\lzdis11n.dll
deleting: C:\WINNT\system32\mvr4l99q1.dll
Successfully Deleted: C:\WINNT\system32\mvr4l99q1.dll
deleting: C:\WINNT\system32\n4r2le9o1h.dll
Successfully Deleted: C:\WINNT\system32\n4r2le9o1h.dll
deleting: C:\WINNT\system32\njdskcc.dll
Successfully Deleted: C:\WINNT\system32\njdskcc.dll
deleting: C:\WINNT\system32\PQM.DLL
Successfully Deleted: C:\WINNT\system32\PQM.DLL
deleting: C:\WINNT\system32\rdnh.dll
Successfully Deleted: C:\WINNT\system32\rdnh.dll
deleting: C:\WINNT\system32\rXsctrs.dll
Successfully Deleted: C:\WINNT\system32\rXsctrs.dll
deleting: C:\WINNT\system32\smprfdll.dll
Successfully Deleted: C:\WINNT\system32\smprfdll.dll
deleting: C:\WINNT\system32\stbcsp.dll
Successfully Deleted: C:\WINNT\system32\stbcsp.dll
deleting: C:\WINNT\system32\t4r80e9ueh.dll
Successfully Deleted: C:\WINNT\system32\t4r80e9ueh.dll
deleting: C:\WINNT\system32\t8r80i9ue8.dll
Successfully Deleted: C:\WINNT\system32\t8r80i9ue8.dll
deleting: C:\WINNT\system32\wtspdmoe.dll
Successfully Deleted: C:\WINNT\system32\wtspdmoe.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aza007jme.dll (152 bytes security) (deflated 3%)
adding: aza603hse.dll (152 bytes security) (deflated 4%)
adding: danet.dll (152 bytes security) (deflated 3%)
adding: dBdref.dll (152 bytes security) (deflated 3%)
adding: fLxdrv.dll (152 bytes security) (deflated 4%)
adding: fp4603hse.dll (152 bytes security) (deflated 4%)
adding: fp4o03h3e.dll (152 bytes security) (deflated 4%)
adding: fp6803jue.dll (152 bytes security) (deflated 5%)
adding: fp6s03j7e.dll (152 bytes security) (deflated 4%)
adding: fp8o03l3e.dll (152 bytes security) (deflated 4%)
adding: g440lehm1h4a.dll (152 bytes security) (deflated 3%)
adding: g840lihm184a.dll (152 bytes security) (deflated 4%)
adding: h2n00c5mef.dll (152 bytes security) (deflated 3%)
adding: i8420ihoe84c0.dll (152 bytes security) (deflated 4%)
adding: ir4sl5h71.dll (152 bytes security) (deflated 4%)
adding: irrul5991.dll (152 bytes security) (deflated 4%)
adding: jt4o07h3e.dll (152 bytes security) (deflated 3%)
adding: jt6007jme.dll (152 bytes security) (deflated 3%)
adding: jtj0071me.dll (152 bytes security) (deflated 3%)
adding: kt20l7fm1.dll (152 bytes security) (deflated 4%)
adding: l02slaf71d2.dll (152 bytes security) (deflated 4%)
adding: lkrt.dll (152 bytes security) (deflated 4%)
adding: lscalui.dll (152 bytes security) (deflated 5%)
adding: lzdis11n.dll (152 bytes security) (deflated 3%)
adding: mvr4l99q1.dll (152 bytes security) (deflated 3%)
adding: n4r2le9o1h.dll (152 bytes security) (deflated 4%)
adding: njdskcc.dll (152 bytes security) (deflated 3%)
adding: PQM.DLL (152 bytes security) (deflated 4%)
adding: rdnh.dll (152 bytes security) (deflated 3%)
adding: rXsctrs.dll (152 bytes security) (deflated 4%)
adding: smprfdll.dll (152 bytes security) (deflated 3%)
adding: stbcsp.dll (152 bytes security) (deflated 4%)
adding: t4r80e9ueh.dll (152 bytes security) (deflated 4%)
adding: t8r80i9ue8.dll (152 bytes security) (deflated 4%)
adding: wtspdmoe.dll (152 bytes security) (deflated 4%)
adding: guard.tmp (152 bytes security) (deflated 3%)
adding: clear.reg (152 bytes security) (deflated 52%)
adding: echo.reg (152 bytes security) (deflated 10%)
adding: desktop.ini (152 bytes security) (deflated 15%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 85%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 65%)
adding: test.txt (152 bytes security) (deflated 81%)
adding: test2.txt (152 bytes security) (deflated 34%)
adding: test3.txt (152 bytes security) (deflated 34%)
adding: test5.txt (152 bytes security) (deflated 34%)
adding: xfind.txt (152 bytes security) (deflated 75%)
adding: backregs/84ACAEB7-37BB-428D-8382-BF6C455CFBCB.reg (152 bytes security) (deflated 70%)
adding: backregs/B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza007jme.dll
deleting local copy: aza603hse.dll
deleting local copy: danet.dll
deleting local copy: dBdref.dll
deleting local copy: fLxdrv.dll
deleting local copy: fp4603hse.dll
deleting local copy: fp4o03h3e.dll
deleting local copy: fp6803jue.dll
deleting local copy: fp6s03j7e.dll
deleting local copy: fp8o03l3e.dll
deleting local copy: g440lehm1h4a.dll
deleting local copy: g840lihm184a.dll
deleting local copy: h2n00c5mef.dll
deleting local copy: i8420ihoe84c0.dll
deleting local copy: ir4sl5h71.dll
deleting local copy: irrul5991.dll
deleting local copy: jt4o07h3e.dll
deleting local copy: jt6007jme.dll
deleting local copy: jtj0071me.dll
deleting local copy: kt20l7fm1.dll
deleting local copy: l02slaf71d2.dll
deleting local copy: lkrt.dll
deleting local copy: lscalui.dll
deleting local copy: lzdis11n.dll
deleting local copy: mvr4l99q1.dll
deleting local copy: n4r2le9o1h.dll
deleting local copy: njdskcc.dll
deleting local copy: PQM.DLL
deleting local copy: rdnh.dll
deleting local copy: rXsctrs.dll
deleting local copy: smprfdll.dll
deleting local copy: stbcsp.dll
deleting local copy: t4r80e9ueh.dll
deleting local copy: t8r80i9ue8.dll
deleting local copy: wtspdmoe.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINNT\system32\aza007jme.dll
C:\WINNT\system32\aza603hse.dll
C:\WINNT\system32\danet.dll
C:\WINNT\system32\dBdref.dll
C:\WINNT\system32\fLxdrv.dll
C:\WINNT\system32\fp4603hse.dll
C:\WINNT\system32\fp4o03h3e.dll
C:\WINNT\system32\fp6803jue.dll
C:\WINNT\system32\fp6s03j7e.dll
C:\WINNT\system32\fp8o03l3e.dll
C:\WINNT\system32\g440lehm1h4a.dll
C:\WINNT\system32\g840lihm184a.dll
C:\WINNT\system32\h2n00c5mef.dll
C:\WINNT\system32\i8420ihoe84c0.dll
C:\WINNT\system32\ir4sl5h71.dll
C:\WINNT\system32\irrul5991.dll
C:\WINNT\system32\jt4o07h3e.dll
C:\WINNT\system32\jt6007jme.dll
C:\WINNT\system32\jtj0071me.dll
C:\WINNT\system32\kt20l7fm1.dll
C:\WINNT\system32\l02slaf71d2.dll
C:\WINNT\system32\lkrt.dll
C:\WINNT\system32\lscalui.dll
C:\WINNT\system32\lzdis11n.dll
C:\WINNT\system32\mvr4l99q1.dll
C:\WINNT\system32\n4r2le9o1h.dll
C:\WINNT\system32\njdskcc.dll
C:\WINNT\system32\PQM.DLL
C:\WINNT\system32\rdnh.dll
C:\WINNT\system32\rXsctrs.dll
C:\WINNT\system32\smprfdll.dll
C:\WINNT\system32\stbcsp.dll
C:\WINNT\system32\t4r80e9ueh.dll
C:\WINNT\system32\t8r80i9ue8.dll
C:\WINNT\system32\wtspdmoe.dll
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}"=-
"{FEC2EBFF-B133-4277-AC72-630CDDED6411}"=-
"{9B65C3AB-E41B-41DD-86A5-3B58AB858E8B}"=-
"{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}]
[-HKEY_CLASSES_ROOT\CLSID\{FEC2EBFF-B133-4277-AC72-630CDDED6411}]
[-HKEY_CLASSES_ROOT\CLSID\{9B65C3AB-E41B-41DD-86A5-3B58AB858E8B}]
[-HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5D7031FC-B9CE-4480-AB2E-8ED18DBD736F}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{5D7031FC-B9CE-4480-AB2E-8ED18DBD736F}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

 
Christie Achor,

Thanks for the log, I will review the log and then we can move on the next part.

Can you post a new HJT log, I need to use it as a reference.

Thanks,
rstones12
 
Logfile of HijackThis v1.98.2
Scan saved at 4:21:38 PM, on 2/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\exxynj.exe
C:\WINNT\system32\Beaoyu.exe
C:\WINNT\yzabyagh.exe
C:\winnt\system32\msnavc32.exe
C:\winnt\system32\calc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wincbbk32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\prutqct.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.565\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [exxynj] c:\winnt\system32\exxynj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Hejgad.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Beaoyu.exe
O4 - HKLM\..\Run: [C:\WINNT\yzabyagh.exe] C:\WINNT\yzabyagh.exe
O4 - HKLM\..\Run: [ot8dnz8x] C:\Program Files\ot8dnz8x\ot8dnz8x.exe
O4 - HKLM\..\Run: [bvdpdc] C:\WINNT\system32\bvdpdc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://access01.mmlive.com/msrdp.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
 
Christie,
Thanks but you posted the HJT log with an older version of HijackThis.
The newest version is 1.99.1.

Here are some instructions.
Create a directory on your C:\ drive and rename it C:\HJT.
Then download the newest version of HJT HERE

Unzip the file and extract it into that directory. From now on use that file and directory for running HJT logs. HijackThis creates backups that are needed for recovery reasons.

I will use this log for the meantime and post back the next part of the fix shortly.
Thanks,
rstones12

If you have any questions, please don't hesitate to ask.
 
Christie,
Once you have create the permanent directory for HJT please post a new HJT log.
We need to make sure that you have HJT in the right place this is "very important". We cant use your current temporary location for where it is now located.

Once you post the new HJT log, I can give you the next part of the fix.
Thanks,
rstones12
 
HI there!

Sorry I was getting errors and redownloaded HJT. I followed your instructions and redownloaded into new directory on C drive. let me know if I need to do anything else...

Thanks for your help!
Christie


Logfile of HijackThis v1.99.1
Scan saved at 12:06:36 AM, on 2/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\exxynj.exe
C:\WINNT\system32\Beaoyu.exe
C:\WINNT\yzabyagh.exe
C:\winnt\system32\msnavc32.exe
C:\winnt\system32\calc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wincbbk32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\prutqct.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.233\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [exxynj] c:\winnt\system32\exxynj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Hejgad.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Beaoyu.exe
O4 - HKLM\..\Run: [C:\WINNT\yzabyagh.exe] C:\WINNT\yzabyagh.exe
O4 - HKLM\..\Run: [ot8dnz8x] C:\Program Files\ot8dnz8x\ot8dnz8x.exe
O4 - HKLM\..\Run: [bvdpdc] C:\WINNT\system32\bvdpdc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://access01.mmlive.com/msrdp.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
3K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
R
Please Help
Replies
3
Views
3K
carnageX
carnageX
Back
Top Bottom