There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox google hard drive hardware hijackthis internet keyboard laptop logon logs off malware microsoft motherboard network networking problem ram recovery router screen slow software sound trojan usb userinit.exe virus vista webcam wifi windows windows 7 windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Yinstall trouble! HELP PLS! (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 5 1 234 Last »
 
Thread Tools
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 11:04 AM #1
Unhappy Yinstall trouble! HELP PLS!
Hi, having trouble as most ppl seem to b with this.
I've got my HJT logfile, and I've used EWIDO which I ran in safe mode and then the BFU bit. I reached the stage of downloading active scan, which I have done but then get re-direction to www.pandasafe.com which has the 404 error. Then I try to open HJT but it closes immediately, something to do with not being able to ran that and also Killzone because of this adware virus.
Don't really know where to go next with this. Any help would be excellent. Thanks.

HJT Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:58 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
C:\Documents and Settings\Dominic\Desktop\Yinstall.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\qsbrtfqjdg\smss.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
C:\Program Files\PacificPoker\Utils\Poker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Dominic\Desktop\Yinstall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\Run: [mfku] C:\PROGRA~1\COMMON~1\mfku\mfkum.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer 2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...33352D2D2D.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.co...ic/FlashAX.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38BD9D07-A9C6-459B-A578-D6F18B687C52}: NameServer = 80.225.255.50 80.225.255.58
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\o8nsli5718.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I've also got the Ewido Anti-spyware report saved to desktop.
Register for free to hide this ad!
Cookiegal's Avatar
Administrator with 64,754 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
11-Oct-2006, 11:15 AM #2
Hi and welcome to TSG,


Click here to download Look2Me-Destroyer.exe and save it to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX
__________________
Microsoft MVP - Consumer Security
Cookiegal's Avatar
Administrator with 64,754 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
11-Oct-2006, 11:15 AM #3
Also, please post a copy of the AVG Anti-Spyware (Ewido) report.
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 12:15 PM #4
Report
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:56:50 PM 10/11/2006

+ Scan result:



C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup (quarantined).
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\TWljaGFlbA\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\sr -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\sr\sr -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1499398264-3895304184-2161807218-1006\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1499398264-3895304184-2161807218-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1499398264-3895304184-2161807218-1006\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-1499398264-3895304184-2161807218-1006\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cacdll.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kt22l7fo1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rapsnd.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tspmon.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ttpmib.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wwhisn.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1080] C:\WINDOWS\system32\Akview32.dll -> Adware.Look2Me : Error during cleaning.
[948] C:\WINDOWS\system32\Akview32.dll -> Adware.Look2Me : Error during cleaning.
C:\WINDOWS\system32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> Adware.PeerNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Start Menu\Programs\Power Scan -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Start Menu\Programs\Power Scan\Power Scan.lnk -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Desktop\Yinstall.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Temporary Internet Files\Content.IE5\RLVIJYCM\Yinstall[1].mp3 -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\mt-uninstaller.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\lsp_.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\SAHUninstall.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\shop1004.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lsp.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe -> Adware.ShopAtHome : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\SideFind -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{262916F0-0A6A-1033-0913-04040816002c}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick2 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick2\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-1499398264-3895304184-2161807218-1006\Software\SurfSideKick2 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-1499398264-3895304184-2161807218-1006\Software\SurfSideKick2\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\pxwma.dll -> Adware.Webdir : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{58F07DD3-924D-4141-BC74-299F523A95F1} -> Adware.WebDir : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Common Files\WinFixer 2005\FCrXML.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
C:\Program Files\MSN Messenger\msnmsgr.exe -> Backdoor.MSNMaker.w : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\313133352D2D2D.exe -> Downloader.Adload.gi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aaa00000.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\uyq938cb.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w00247cd.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w02dafcd.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\Program Files\Windows Media Player\saheqace.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\installer.exe -> Dropper.PurityScan.q : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Temporary Internet Files\Content.IE5\FKZ1JMJN\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Temporary Internet Files\Content.IE5\Y1W36LUN\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\samybire.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\speedtest2.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Temporary Internet Files\Content.IE5\Y1W36LUN\SystemDoctor2006FreeInstall[1].cab/USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Cookies\dominic@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vgh.exe -> Trojan.Kolweb.d : Cleaned with backup (quarantined).
C:\WINDOWS\hosts -> Trojan.Qhost.k : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00020.dll -> Trojan.Sinowal.bd : Cleaned with backup (quarantined).


::Report end
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 12:16 PM #5
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 10/11/2006 5:05:28 PM

Infected! C:\WINDOWS\system32\t68u0gl9e6q.dll
Infected! C:\WINDOWS\system32\Akview32.dll
Infected! C:\WINDOWS\system32\nwtevent.dll
Infected! C:\WINDOWS\system32\Akview32.dll
Infected! C:\WINDOWS\system32\fpls0337e.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\Akview32.dll
C:\WINDOWS\system32\Akview32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nwtevent.dll
C:\WINDOWS\system32\nwtevent.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\Akview32.dll
C:\WINDOWS\system32\Akview32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpls0337e.dll
C:\WINDOWS\system32\fpls0337e.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EC2FC19D-E8D2-4A72-AFBC-AE352E5CA91A}"
HKCR\Clsid\{EC2FC19D-E8D2-4A72-AFBC-AE352E5CA91A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9E3B93E3-015A-466B-AF7A-E97095242E94}"
HKCR\Clsid\{9E3B93E3-015A-466B-AF7A-E97095242E94}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 12:17 PM #6
HJT, closes itself about 3 secs after it opens. So I'm not able to get a report. The only way I did before was to Ctrl+A thn Ctrl+C extremely quickly. Except its not displaying a report to allow me to do so.
Cookiegal's Avatar
Administrator with 64,754 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
11-Oct-2006, 02:06 PM #7
Can you get a HijackThis log in safe mode?
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 04:19 PM #8
Logfile of HijackThis v1.99.1
Scan saved at 9:02:50 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: load=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\Run: [mfku] C:\PROGRA~1\COMMON~1\mfku\mfkum.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer 2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Program Files\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...33352D2D2D.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan8/oscan8.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.co...ic/FlashAX.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 04:20 PM #9
Don't no if this is relevant, but I am gettin the following error msg on start-up:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 04:21 PM #10
Thanks again for helping
Cookiegal's Avatar
Administrator with 64,754 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
11-Oct-2006, 05:43 PM #11
Ewido is now known as AVG Ant-Spyware and it has been improved so please remove the Ewido program that you have and upgrade to this one.

Download AVG Anti-Spyware from HERE and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
  1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  5. If you have any infections you will be prompted. Then select "Apply all actions."
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


Come back here and post a new HijackThis log (in normal mode if possible) along with the logs from the AVG and Panda scans.
__________________
Microsoft MVP - Consumer Security
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 07:35 PM #12
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:28:16 AM 10/12/2006

+ Scan result:



C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Dominic\Cookies\dominic@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.


::Report end

Also, I wasnt able to download active scan as tht link didn't work. I tried using other sites but then it wouldn't install successfully.

Also, how i can i replace the file: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe. Or alternatively just prevent me being prompted with this msg at every start-up.

Thanks again.
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
11-Oct-2006, 07:36 PM #13
Logfile of HijackThis v1.99.1
Scan saved at 12:36:32 AM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
C:\WINDOWS\system32\qsbrtfqjdg\smss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: load=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\Run: [mfku] C:\PROGRA~1\COMMON~1\mfku\mfkum.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer 2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Program Files\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...33352D2D2D.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan8/oscan8.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.co...ic/FlashAX.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38BD9D07-A9C6-459B-A578-D6F18B687C52}: NameServer = 80.225.255.50 80.225.255.58
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Cookiegal's Avatar
Administrator with 64,754 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
12-Oct-2006, 12:57 PM #14
You don't want to replace that files as it's malware.

Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.


Download The Hoster from here UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


Then see if you can get Panda to run. If not, please do this one:

Run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!
__________________
Microsoft MVP - Consumer Security
Dom_B's Avatar
Computer Specs
Member with 47 posts.
  
Join Date: Oct 2006
12-Oct-2006, 01:54 PM #15
Incident Status Location

Virus:W32/Tobecho.S.worm Disinfected Operating system
Virus:Trj/MSNHijacker.B Disinfected Operating system
Adware:adware/cws Not disinfected C:\Documents and Settings\Dominic\Favorites\fun & games\Horoscope.lnk
Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe
Adware:adware/keenvalue Not disinfected c:\windows\browserxtras\pn\remove.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Dominic\Local Settings\Temporary Internet Files\Ssk.log
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/ucmore Not disinfected c:\windows\ucmoreiex.exe
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\program files\common files\WinAntiVirus Pro 2006
Adware:adware/ist.sidefind Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\MyWebSearch
Adware:adware/oemji Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/dollarrevenue Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/wazzup Not disinfected Windows Registry
Adware:adware/webdir Not disinfected Windows Registry
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\setup.inf
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UDC6_0001_D19M1908NetInstaller.exe
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UDC6_0001_D19M1908NetInstaller.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWljaGFlbA\nq53u3I5vE.vbs
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Michael\Local Settings\Temp\Cookies\michael@888[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michael\Cookies\michael@doubleclick[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Michael\Cookies\michael@serving-sys[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Michael\Cookies\michael@bs.serving-sys[2].txt
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\Dominic\Local Settings\Temp\Temporary Internet Files\Content.IE5\FKZ1JMJN\installdrivecleanerstart[1].cab[UDC6_0001_D19M1908NetInstaller.exe]
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\Dominic\Local Settings\Temp\Temporary Internet Files\Content.IE5\FKZ1JMJN\installdrivecleanerstart[2].cab[UDC6_0001_D19M1908NetInstaller.exe]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Dominic\Cookies\dominic@statcounter[2].txt
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\Common Files\WinFixer 2005\uwappchk.dll

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:28:16 AM 10/12/2006

+ Scan result:



C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Dominic\Cookies\dominic@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Dominic\Local Settings\Temp\Cookies\dominic@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 6:54:17 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\MSN Messenger\msgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: load=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\qsbrtfqjdg\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\Run: [mfku] C:\PROGRA~1\COMMON~1\mfku\mfkum.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer 2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Program Files\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...33352D2D2D.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan8/oscan8.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.co...ic/FlashAX.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38BD9D07-A9C6-459B-A578-D6F18B687C52}: NameServer = 80.225.255.50 80.225.255.58
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


I have now been able to complete a HJT scan in normal mode. 8-)
Closed Thread Bookmark and Share   techguy.org/508619
Page 1 of 5 1 234 Last »

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 01:37 PM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.