Free Malware Removal Forum

[cawitt]

Hi, whenever I try to start IE, I get an error message and IE just shuts down. The message is: "The instruction at "0xc450f594" referenced memory at "0xc450f594". The memory could not be "read".

Here is my HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 5:55:11 PM, on 10/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\cusrvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\mcshield.exe
C:\Program Files\Network Associates\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\bbda46b\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbpnet.cbp.dhs.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://customsnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Customs & Border Protection v1.2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;167.144.*;*.dhs.gov;*.ins;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HumMeteringClient] rundll32.exe "C:\Program Files\Hummingbird\Connectivity\9.00\Accessories\MeteringClient.dll",RegisterProduct
O4 - HKLM\..\Run: [lcfep] C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe -x
O4 - HKLM\..\Run: [SwdisUsrPCN.wnwg05ab50] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\\\etb\\pokapoka76.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\spskll.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://customsnet
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://atsn-3a.cbp.dhs.gov/chartfx/download/ScriptX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://mvs01.unisys.com/dana-cached/se ... sSetup.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/g ... ed1003.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\ixssuba.dll (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE


I already deleted:
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\\\etb\\pokapoka76.exe
but it still gives the error.

All this started happening after I visited a Lyrics site, I think it was http://www.elyrics.net , but I'm afraid to go back there on another computer and screw it up, too.

Any help would be appreciated! Thanks!

Chris

[Kimberly]

Hello Chris and welcome.

Please don't go back to the site with another PC, we'll check the website out. Thanks for reporting it.

Apart from the Elite Toolbar, which needs to be cleaned up also, you have a Look2Me and a Qoologic infection. We have to start with the removal of the Look2Me infection before doing anything else. Your Internet Explorer may still give errors after this first part of the cleanup.

Disable TeaTimer as it might interfer with the fix.

1. Run Spybot-S&D
2. Go to the Mode menu, and make sure that Advanced Mode is selected
3. On the left hand side, choose Tools then Resident
4. Uncheck Resident TeaTimer and OK any prompts
5. Reboot your machine for the changes to take effect before running HJT.

______________________________

Let's have a look at the Look2Me infection first.

• Download l2mfix.exe from one of these two locations and save it to your Desktop.
  http://www.atribune.org/downloads/l2mfix.exe
  http://www.downloads.subratam.org/l2mfix.exe
• Double click l2mfix.exe to start the installation.
• Click the Install button to extract the files and follow the prompts.
• Open the newly added l2mfix folder on your desktop.
• Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the L2m log back here as a reply.

Kim

[cawitt]

Hi Kim, thanks for the quick response!

Here is the l2m log:


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ixssuba.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1EB6488-4479-EB69-412D-DCCE97F4F696}"=""
"iebar"=" "
"acc=ventura5"=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
"{04c23aa0-3d34-11d2-b788-008029605ac7}"="NDPS Shell Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extention"
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}"="Registered ActiveX Controls"
"{D545EBD1-BD92-11CF-8772-00A0C9039735}"="Developer Studio Components"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{EEC0E77B-A1A4-4F11-8A77-B8E741817422}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EEC0E77B-A1A4-4F11-8A77-B8E741817422}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EEC0E77B-A1A4-4F11-8A77-B8E741817422}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EEC0E77B-A1A4-4F11-8A77-B8E741817422}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EEC0E77B-A1A4-4F11-8A77-B8E741817422}\InprocServer32]
@="C:\\WINDOWS\\system32\\Ckd8en32.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B4BA-6C90

Directory of C:\WINDOWS\System32

09/15/2005 04:33p <DIR> dllcache
04/05/2001 01:43p 94,208 msstkprp.dll
1 File(s) 94,208 bytes
1 Dir(s) 9,724,798,976 bytes free

[Kimberly]

Hello Chris,

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.

• Open the l2mfix folder on your desktop.
• Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
• Press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Post that log along with any additional information as directed below.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the L2m log back here along with a new HijackThis log and I will review the information when it comes in.

When you are clean on this one, we'll go after the rest.

Kim

[cawitt]

Ok, done.

Here's my l2m log:

Setting Directory
C:\

C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1340 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (deflated 23%)
adding: lo2.txt (deflated 49%)
adding: test.txt (stored 0%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ixssuba.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{EEC0E77B-A1A4-4F11-8A77-B8E741817422}"=-
[-HKEY_CLASSES_ROOT\CLSID\{EEC0E77B-A1A4-4F11-8A77-B8E741817422}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


And here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:04 AM, on 10/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\cusrvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\mcshield.exe
C:\Program Files\Network Associates\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbpnet.cbp.dhs.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://customsnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Customs & Border Protection v1.2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;167.144.*;*.dhs.gov;*.ins;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HumMeteringClient] rundll32.exe "C:\Program Files\Hummingbird\Connectivity\9.00\Accessories\MeteringClient.dll",RegisterProduct
O4 - HKLM\..\Run: [lcfep] C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe -x
O4 - HKLM\..\Run: [SwdisUsrPCN.wnwg05ab50] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\spskll.exe reg_run
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: rard.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O14 - IERESET.INF: START_PAGE_URL=http://customsnet
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://atsn-3a.cbp.dhs.gov/chartfx/download/ScriptX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://mvs01.unisys.com/dana-cached/se ... sSetup.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\ixssuba.dll (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE

[Kimberly]

Ok, let's go after the rest now. Usually Ewido can handle the Qoologic infections, so let's try like this first.

Make sure that you can see hidden files.

1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Uncheck the Hide file extensions for known file types.
9. Click OK.

______________________________

Download LQFix to your Desktop or to your usual Download Folder.
http://users.telenet.be/bluepatchy/miek ... /LQfix.zip
Unzip it to your Desktop. Don't use it yet.
______________________________

Please download the trial version of Ewido Security Suite 3.5 from here:
http://www.ewido.net/en/download/

• Install Ewido Security Suite.
• When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
• When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
• The program will prompt you to update. Click the Ok button.
• The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update Button.
• Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Please print out the following instruction or copy them to a notepad file and save them because you won't be able to see this page.
You will need to be Offline and NO IE windows open. Don't open Control Panel neither. When ready to start the fix, unplug your cat-5 wire from machine if you are on cable or a network.
______________________________

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]

Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Boot into Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.

______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <--- Only if you didn't activate this option with Spybot S&D or a similar tool
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\ixssuba.dll (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Close ALL running programs before running the following tool. Double-click LQFix.bat. A DOS window should open and close, this is normal. Occasionally a DOS box may appear asking your permission to delete some files in Temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware. If a reboot is asked by the program, make sure that you reboot in Safe Mode again.
______________________________

Normally I instruct the user to clean up all the files with Ewido. I see that you have important software running and that's why I prefer to use a manual action on each file. Don't worry if you delete a legitimate file, Ewido keeps a backup of them and they are easy to restore. Watch out for files you know to be legitimate, like the Novel stuff and the Tivoli files ... and when you see the word HEURISTIC in Ewido's detection. Clean up the rest.

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan. Do not open any folder's or open the windows control panel while the scan is in progress.

• Click on Scanner
• Click on Settings
  
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action, otherwise select the clean action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close Ewido.
______________________________

Post a new HijackThis log, along with the Ewido log please.

By chance, can you remember what you were looking for on that site ? At first sight it has lots of popup crap and myway, but it could be a rotating system. Did you click on something ? Don't return there to find out!

[cawitt]

Ok, done.

Here's my ewido logfile:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:04:52 PM, 10/18/2005
+ Report-Checksum: 9D6D1E37

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rard.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
:mozilla.22:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.50:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.51:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.53:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.54:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.55:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.58:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.59:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.64:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.67:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.366:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.471:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.523:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.530:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.531:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.728:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.729:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.730:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.790:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.791:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.794:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.795:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.815:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.825:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.831:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.834:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.835:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.837:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.838:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.839:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.840:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.841:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.844:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.845:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.848:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.849:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.850:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.851:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.858:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.860:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.861:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.862:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.868:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.870:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.872:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.875:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.885:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.889:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.895:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.904:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.914:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.920:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.933:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.935:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.947:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.948:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.971:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.976:C:\Documents and Settings\bbda46b\Application Data\Mozilla\Firefox\Profiles\rty745x7.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@buycom.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@cnetasiapacific.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfk4kidpwdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfk4qjdpadp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfk4uoajkgq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfkismazcfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfkiwndpofo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfkyehdjmcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfkyekd5wfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfkywocjmcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfl4opdjiao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wflicld5scq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfliejd5geo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfliekajwlp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfligkcjchq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wfliqncpelp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wgkyknczgep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjk4qhcjgfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjkocpcpidq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjkocpd5aho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjkoghdpofq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjkyogcpefq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjkyoocpwkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjkyulajibo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjl4ajajkbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjl4kocpgbp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjl4wpcpahp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjliojdjiap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjliuiazsdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlowgajoeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlycgczogp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlyclc5mco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlyglcjodo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlyogajkaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlyugc5kgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjlywjdjifq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjmickdziho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjmiondpibp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjmisgcjseq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjmiupdpibo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjmyepc5gco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjmyqiazmeq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjny-1ndjeh.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjnyaoczkho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjnygmdjogo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@e-2dj6wjnysldzccq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@entrepreneur.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@internetfuel[1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@news.com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@tgn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\bbda46b\Cookies\bbda46b@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\1313206_2616_2972_1640_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\132376_1832_1572_1436_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\1704168_1972_1792_364_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\197864_1892_1812_1704_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\5638540_1792_2972_1608_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\590062_1912_1832_880_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\67494_2512_2972_3396_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\common.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@a-1shz2prbmdj6wvny-1sez2pra2dj6wjloeiczcgqa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4ckcpmgpq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4opc5ggpgsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4smdzihpasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkokpazwaoaydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloshd5capg6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlowkdpcdqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmycjd5kfoqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmysnczmcpwmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\Cookies\bbda46b@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyumdjoeogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\i316.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_1EB0.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_4013.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_4DE8.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_503B.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_6E1C.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_9633.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_A154.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_B02D.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\k_C55F.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\TBPS.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temp\toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\bbda46b\Local Settings\Temporary Internet Files\Content.IE5\S9IRO52R\pcs_0031[1].exe -> Spyware.Pacer : Cleaned with backup
C:\quarantine\setup4110.cab.Vir/lhoc03njq_.dll -> Adware.Saha : Error during cleaning
C:\quarantine\setup4110.cab.Vir/hxk8pjf7w_.exe -> Adware.SAHA : Error during cleaning
C:\WINDOWS\Downloaded Program Files\pcs_0031.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\dadcbbn.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\system32\eaedj.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\fsfdssj.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\sav2.exe -> TrojanDownloader.Agent.vp : Cleaned with backup
C:\WINDOWS\system32\spskll.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\system32\wuwqp.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup


::Report End


And here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:05:45 PM, on 10/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbpnet.cbp.dhs.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://customsnet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Customs & Border Protection v1.2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;167.144.*;*.dhs.gov;*.ins;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HumMeteringClient] rundll32.exe "C:\Program Files\Hummingbird\Connectivity\9.00\Accessories\MeteringClient.dll",RegisterProduct
O4 - HKLM\..\Run: [lcfep] C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe -x
O4 - HKLM\..\Run: [SwdisUsrPCN.wnwg05ab50] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://customsnet
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://atsn-3a.cbp.dhs.gov/chartfx/download/ScriptX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://mvs01.unisys.com/dana-cached/se ... sSetup.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE

[cawitt]

Oh yeah, I almost forgot. Actually, I may have given you the wrong url for the site where I got infected. I think the page that infected me may have been:

http://www.seeklyrics.com/lyrics/Eric-B ... -Mind.html

But it may also have been:

http://www.elyrics.net/go/b/blue-lyrics ... ow-lyrics/

Thanks!

[Kimberly]

Thanks for the additional info on the websites, will check them out asap.

Ewido did an awsome job, we still need to fix a small amount of things. You're doing well and we're almost done.

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green

• Under Safety
  
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
• Under Definitions
  
  • Prompt to udate outdated definitions - set to 7 days

Click on the Scanning Button of the left and select in green

• Under Driver, Folders & Files
  
  • Scan Within Archives
• Under Select drives & folders to scan
  
  • choose all hard drives
• Under Memory & Registry
  
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file

Click on the Advanced Button on the left and select in green

• Under Shell Integration
  
  • Move deleted files to Recycle Bin
• Under Logfile Detail Level
  
  • Include addtional object information
  • DESELECT - Include negligible objects information (make it show a red X)
  • Include environment information
• Under Alternate Data Streams
  
  • Don't log streams smaller than 0 bytes
  • Don't log ADS with the following names: CA_INOCULATEIT

Click the Tweak Button and select in green

• Under the Scanning Engine (Click on the + sign to expand)
  
  • DESELECT Unload recognized processes & modules during scan (make it show a red X)
  • Scan registry for all users instead of current user only
• Under the Cleaning Engine (Click on the + sign to expand)
  
  • Always try to unload modules before deletion
  • During Removal, unload Explorer and IE if necessary
  • Let Windows remove files in use at next reboot
• Under the Log Files (Click on the + sign to expand)
  
  • Include basic Ad-aware SE settings in logfile
  • Include additional Ad-aware SE settings in logfile
  • Include reference summarry in log file
  • Include alternate data stream details in log file

Click on Proceed to save the settings and close the program.
______________________________

If not already installed, download and install the VX2 Cleaner 2.0 plugin from Lavasoft by following the instructions below.

Installing VX2 Cleaner 2.0

1. Close Ad-Aware, if it is currently open.
2. Download the VX2 Cleaner 2.0 Plug-in here.
3. After installing, restart Ad-Aware before running the VX2 Cleaner.

______________________________

Launch Spybot - S&D and update it.
Click on the Search for Updates button. If there are available updates, they will be listed. Click on the Download Updates button and Spybot - S&D will download the updates and install them. Close Spybot S&D.

Note : Use Safernetworking #1 (Europe) or Safernetworking #2 (Europe) for the updates due to bad checksums on the files.
______________________________

Ewido did an awsome job on the Qoologic, but I prefer to double check.
Download WinPFind.zip to your Desktop from
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\System Files

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\ixssuba.dll
C:\WINDOWS\system32\Ckd8en32.dll

They probably won't exist, but I prefer to be sure.

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.

It looks like the following files have been quarantained by a program you have running (McAfee maybe ?) ... clean out the quarantained files when you have a moment.

C:\quarantine\setup4110.cab.Vir/lhoc03njq_.dll -> Adware.Saha : Error during cleaning
C:\quarantine\setup4110.cab.Vir/hxk8pjf7w_.exe -> Adware.SAHA : Error during cleaning
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Start Ad-Aware SE

• Click on Add-ons
• Select the VX2 Cleaner plug-in and click Run Tool
• If your computer isn’t infected, click Close.
  OR
• If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
• Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
• Reboot your computer
• Run Ad-Aware and Click on the Scan Now Button
  
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
  Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.
  
  Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.

Repeat this until the VX2 Cleaner reports System clean. Press Close to exit.

Run Ad-Aware one more time and perform a Perform Full System Scan of your computer to make sure VX2 has been found and removed.
______________________________

Run Spybot - S&D

Click the button Check for Problems
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.
______________________________

Boot into Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.

Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file at C:\WinPFind\WinPFind.txt. Pleased copy that log to your next reply.
______________________________

Reboot in Normal Mode and run Panda's ActiveScan and perform a full system scan.

• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the big Check Now button.
• Enter your Country.
• Enter your State/Province.
• Enter your e-mail address.
• Select either Home User or Company.
• Click the big Scan Now button.
• Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
• Click on Local Disks to start the scan.

Upon scan completion, if anything malicious is detected, click See Report, then click Save Report and save it to your Desktop.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    • Extended (If available otherwise Standard)
  • Scan Options:
    
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

______________________________

Please post a new Hijackthis log (from normal mode this time please), along with the results of the WinPFind.txt, the Panda Scan and the Kaspersky Scan.

Kim

[cawitt]

Ok, I finally got it done (sort of). I wasn't able to get Kaspersky to run (explanation below). Here is everything else.

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:33:23 PM, on 10/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\cusrvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\mcshield.exe
C:\Program Files\Network Associates\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Network Associates\SHSTAT.EXE
C:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbpnet.cbp.dhs.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://customsnet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Customs & Border Protection v1.2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;167.144.*;*.dhs.gov;*.ins;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HumMeteringClient] rundll32.exe "C:\Program Files\Hummingbird\Connectivity\9.00\Accessories\MeteringClient.dll",RegisterProduct
O4 - HKLM\..\Run: [lcfep] C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe -x
O4 - HKLM\..\Run: [SwdisUsrPCN.wnwg05ab50] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://customsnet
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://atsn-3a.cbp.dhs.gov/chartfx/download/ScriptX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://mvs01.unisys.com/dana-cached/se ... sSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE


WinPFind.txt:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
WinShutDown 10/18/2005 11:32:20 AM 6056 C:\log.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 3/18/2003 11:05:48 PM 2052096 C:\WINDOWS\SYSTEM32\atl71.pdb
PEC2 7/15/2000 1:00:00 AM 8024064 C:\WINDOWS\SYSTEM32\MFC42.PDB
PEC2 7/15/2000 1:00:00 AM 3944448 C:\WINDOWS\SYSTEM32\MFC42D.PDB
PEC2 3/19/2003 1:20:00 AM 10357760 C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2 3/19/2003 12:28:40 AM 8252416 C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2 3/19/2003 1:12:12 AM 10333184 C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2 3/19/2003 12:31:58 AM 8293376 C:\WINDOWS\SYSTEM32\mfc71ud.pdb
PEC2 7/15/2000 1:00:00 AM 2052096 C:\WINDOWS\SYSTEM32\MFCD42D.PDB
PEC2 7/15/2000 1:00:00 AM 1454080 C:\WINDOWS\SYSTEM32\MFCN42D.PDB
PEC2 7/15/2000 1:00:00 AM 4395008 C:\WINDOWS\SYSTEM32\MFCO42D.PDB
PECompact2 10/2/2005 7:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 7:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 6/19/2003 12:05:04 PM 529168 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 12/7/1999 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/7/2005 6:15:54 PM H 54156 C:\WINDOWS\QTFont.qfn
10/18/2005 6:05:32 PM H 922712 C:\WINDOWS\ShellIconCache
10/18/2005 6:08:12 PM S 64 C:\WINDOWS\CSC\00000001
10/6/2005 10:36:06 AM S 64 C:\WINDOWS\CSC\00000002
8/26/2005 9:46:24 AM S 64 C:\WINDOWS\CSC\csc1.tmp
10/18/2005 2:05:24 PM H 1024 C:\WINDOWS\system32\config\default.LOG
10/18/2005 3:33:10 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/18/2005 6:12:44 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/18/2005 6:13:42 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/22/2005 3:58:34 PM HS 336 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\e6097b54-ae01-44f4-8948-e880e788c922
9/22/2005 3:58:34 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
10/18/2005 6:05:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 12/7/1999 4:00:00 AM 67344 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 12/7/1999 4:00:00 AM 128272 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 118032 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 36112 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 9:10:00 AM 326144 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 122128 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 303888 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 17168 C:\WINDOWS\SYSTEM32\ncpa.cpl
NVIDIA Corporation 4/22/2003 11:44:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 41232 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 2/20/2003 5:39:50 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINDOWS\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/7/1999 4:00:00 AM 5904 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 61200 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 54272 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2/17/2005 1:17:50 AM 64784 C:\WINDOWS\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 12/7/1999 4:00:00 AM 41232 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Hummingbird Ltd. 7/15/2003 3:15:28 PM 90112 C:\WINDOWS\SYSTEM32\Hummingbird\Connectivity\9.00\Inetd\inetd32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/27/2004 7:55:22 AM 1583 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mymgffnm
{6a793683-6c85-4290-88e6-bb819be31121} = C:\WINDOWS\system32\eaedj.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareServerMenu
{9b173360-732b-11ce-aa22-00805f9834b0} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINDOWS\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
NDPS C:\WINDOWS\system32\dpmw32.exe
NWTRAY NWTRAY.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
CreateCD50 "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
HumMeteringClient rundll32.exe "C:\Program Files\Hummingbird\Connectivity\9.00\Accessories\MeteringClient.dll",RegisterProduct
lcfep C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe -x
SwdisUsrPCN.wnwg05ab50 "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
ShStatEXE "C:\Program Files\Network Associates\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
Network Associates Error Reporting Service "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\msonsext.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 1
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
disablecad 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINDOWS\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/18/2005 6:17:19 PM


Panda Scan:

Code: Select all

Incident                      Status                        Location                                                                                                                                                                                                                                                        

Spyware:spyware/surfsidekick  No disinfected                C:\Documents and Settings\bbda46b\Local Settings\Temporary Internet Files\Ssk.log                                                                                                                                                                               
Adware:adware/bookedspace     No disinfected                C:\WINDOWS\cfgmgr52.ini                                                                                                                                                                                                                                         
Adware:Adware/NetPals         No disinfected                C:\WINDOWS\Downloaded Program Files\ATPartners.inf                                                                                                                                                                                                              
Adware:adware/quicksearch     No disinfected                C:\WINDOWS\Downloaded Program Files\install.inf                                                                                                                                                                                                                 

Kaspersky gave me the following message:

Failed to load Kaspersky On-line Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level.

I know I have admin rights (otherwise I couldn't have installed the other stuff). I think my IE settings are ok, I have them to Custom, but it allows ActiveX, so this shouldn't be a problem. Hopefully it's not too big a deal.

Thank you so much for your help so far, Kim! My IE works now, so I'm already very happy! But I realize we also want to get those last few pesky remnants off my box, and I'm very grateful for your continued help. You rock!

Chris

[Kimberly]

Glad to hear that IE is working now.

There's not much left over to clean up, Ewido did a good job on the Qoologic.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mymgffnm]

[-HKEY_CLASSES_ROOT\CLSID\{6a793683-6c85-4290-88e6-bb819be31121}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a793683-6c85-4290-88e6-bb819be31121}]

Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Note: overwrite the existing Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\eaedj.dll
C:\WINDOWS\cfgmgr52.ini
______________________________

Copy/paste the following quote box into a new notepad (not wordpad) document. Keep IE closed while deleting those files.

@ECHO OFF
cd C:\WINDOWS\Downloaded Program Files
attrib -r -s -h ATPartners.inf
del ATPartners.inf
attrib -r -s -h install.inf
del install.inf
cd C:\Documents and Settings\bbda46b\Local Settings\Temporary Internet Files
attrib -r -s -h Ssk.log
del Ssk.log

Save it to your Desktop as cleanme.bat. Save it as:
File Type: All Files(not as a text document or it wont work).
Name: cleanme.bat

Double click cleanme.bat. Confirm the del of files / folders.
______________________________

Let's check your settings and see if we can get Kaspersky going. It's a strange issue since Panda did run ... Compare to the following settings and I'll check if I can find more info on the error at the Kaspersky website.

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.
   
   • Change the Download signed ActiveX controls to Prompt
   • Change the Download unsigned ActiveX controls to Disable
   • Check that Script ActiveX controls marked safe for scripting is set to Enabled or Prompt
   • Check that Run ActiveX controls and plugins is Enabled
   • Change the Initialise and script ActiveX controls not marked as safe to Disable
   • Change the Installation of desktop items to Prompt
   • Change the Launching programs and files in an IFRAME to Prompt
   • Change the Navigate sub-frames across different domains to Prompt
   • Check that Active Scripting is set to Enabled
   • When all these settings have been made, click on the OK button.
   • If it prompts you as to whether or not you want to save the settings, press the Yes button.
6. Next press the Apply button and then the OK to exit the Internet Properties page.

I'll post back later on if I find more info about the scan error.

Kim

[cawitt]

Ok, I did all the above.

After checking my IE security settings, I got a bit further on Kaspersky. Now it is able to install the scanner, but it has trouble updating the av db. It won't seem to download the master.xml file from any of the servers. Here's what it says:

Please wait to update the virus definitions...
Downloading from url: http://us2h.kaspersky-labs.com
Downloading remote file: master.xml
Downloading from url: http://us1h.kaspersky-labs.com
Downloading remote file: master.xml
... (clipped) ...
Downloading from url: http://ru5h.kaspersky-labs.com
Downloading remote file: master.xml
Downloading from url: http://eu5h.kaspersky-labs.com
Downloading remote file: master.xml
Downloading from url: ftp://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Update process FAILED. No further antivirus actions can be performed!

Attention, you must be online to activate Kaspersky On-line Scanner, since the latest Anti-Virus bases version must be uploaded prior to scan. Otherwise we cannot guarantee detection of latest viruses. Please go online to use Kaspersky On-line Scanner.

It won't go any further than that.

[Kimberly]

Hello Chris,

I have the Kaspersky scanner installed on my PC's and I did launch it right now. Since I already have a local database, it only updates / downloads new files. It is slower as usual, maybe their server is a bit overloaded and your connection times out... (I had the same problem with a friends PC at home yesterday and the Panda Scan - I had to start it all over again 4 times - I did reboot between them as suggested by the Panda ActiveX control)

Mine did update from eu1h.kaspersky-labs.com, unfortunately you can't change the update location anywhere.

Maybe try another moment of the day (guess it's about 5:45 PM now in Washington DC or so) - Since the main engine did install it's definitively not an admin rights problems. The Winpfind log didn't show any strange policy restrictions neither.

From your HijackThis log I can see you have particular firewall / domain / proxy settings ... they sometimes can be the cause of timed out or blocked connections, but I honestly think that their server is timing out atm due to the random errors you get.

I you can't get the scan to work, you may perform the Trend scan instead:
http://housecall.trendmicro.com/houseca ... t_corp.asp

Kim

[cawitt]

I ran the TrendMicro HouseCall scan, and it came up clean! Woo hoo!

My system seems to be working fine now. Please let me know if there's anything else you'd like me to do on it before we call it "done."

[Kimberly]

Great news.

We can call it 'done', just hide your system files again and secure your IE settings again if you did lower them for the ActiveX scans. Since you are running a PC for work, make sure to backup important files and documents very often.

You may keep Ewido installed if you wish, it's a very good program. You will still be able to perform scans with Ewido and update the definitions after the 15 days trial but if you want the real-time protection active, you need to purchase the product.

There is a Toolbar that you might be interested in: SiteHound Toolbar. I'm testing the toolbar atm on my PC and it seems to produce good results.
Help / Support pages are located here:
http://www.sitehound.com/support/help/W ... m_Help.htm

On a side note, I'm still not able to explain why the Kaspersky scan didn't work. I'll see if I can contact their support and see what's up. It might be important / usefull for other users.

Hide your system files again.

1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading uncheck Show hidden files and folders.
6. Check the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Click OK.

______________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

Make your Internet Explorer more secure

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.
   
   • Change the Download signed ActiveX controls to Prompt
   • Change the Download unsigned ActiveX controls to Disable
   • Change the Initialise and script ActiveX controls not marked as safe to Disable
   • Change the Installation of desktop items to Prompt
   • Change the Launching programs and files in an IFRAME to Prompt
   • Change the Navigate sub-frames across different domains to Prompt
   • When all these settings have been made, click on the OK button.
   • If it prompts you as to whether or not you want to save the settings, press the Yes button.
6. Next press the Apply button and then the OK to exit the Internet Properties page.

Additional information is available in the following KB article:
Resources for using Internet Explorer 6

Download and install the following free programs

• SpywareBlaster
  SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  You can download SpywareBlaster here
  A tutorial can be found here
• SpywareGuard
  It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
  You can download SpywareGuard here
  A tutorial can be found here
• IE-SPYAD
  IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
  You can download IE-SPYAD here
  A tutorial can be found here
• Hosts File
  A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  A tutorial tutorial can be found here
  
  • MVPS Hosts File
    You can download the MVPS Hosts File here
    Furthermore the website contains useful tips and links to other resources and utilities.
  • Bluetack's Hosts File and Hosts Manager
    Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
    Download Bluetack's Hosts file here
    Download Bluetack's Hosts Manager here

Install Spyware Detection and Removal Programs

• Ad-Aware
  It scans for known spyware on your computer. These scans should be run at least once every two weeks.
  You can download Ad-Aware here
  A tutorial can be found here
• Spybot - Search & Destroy
  It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
  You can download Spybot - S&D here
  A tutorial can be found here

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

Keep an eye on the PC in the next days, don't hesitate to post back if needed.
Happy surf and thanks for coming to our forums for help with your security and malware issues.

Kim