1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HIJACKTHIS LOG -> Ads just keep popping up like mad

Discussion in 'Virus & Other Malware Removal' started by BlueNameless, Jul 20, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. BlueNameless

    BlueNameless Thread Starter

    Joined:
    Mar 31, 2006
    Messages:
    21
    Logfile of HijackThis v1.99.1
    Scan saved at 3:25:54 PM, on 7/20/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\SUPERVOC\PROGRAM\PICPMON.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\xload.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\System32\bdpn.exe
    C:\WINDOWS\System32\xd7ehbkw.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1\msconfig.exe
    C:\WINDOWS\System32\tcmypt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\tcmypt.exe
    C:\WINDOWS\System32\zstatus.exe
    C:\Documents and Settings\rozsalie rigon\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http: \\www.gcscanada.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20069&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20069&k=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pjksr.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,berwcrq.exe
    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\System32\v199.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"
    O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [Teei] "C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1\msconfig.exe" -vt mt
    O4 - HKCU\..\Run: [tcmypt] C:\WINDOWS\System32\tcmypt.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\RunOnce: [tcmypt] C:\WINDOWS\System32\tcmypt.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http: \\www.gcscanada.com
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.snipernet.us
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.snipernet.us (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://abmls.mlxchange.com/Control/FileCruiser.cab
    O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://abmls.mlxchange.com/Control/Specfile.cab
    O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://abmls.mlxchange.com/Control/SISC.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {56281C46-2A92-45F1-863D-E214733EB2D6} - http://www.cursorzone.com/cursors/cross_setup_td035.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100224077377
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://abmls.mlxchange.com/Control/LiteGrid.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://abmls.mlxchange.com/Control/AspCustomCtrls.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\ROZSAL~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll
    O20 - AppInit_DLLs: repairs303169590.dll
    O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg118.dll (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    Yo, I was working at my dad's office and all of a sudden this computer starts popping up ads like there's no tomorrow. The computer was forced to shut down "Windows must now restart because the Remote Procedure Call Service terminated unexepctedly"

    However, I was able to run adaware long enough to delete the culpit. However, when I ran Adaware and Spybot at the start of bootup, there was a file that couldn't be deleted known as surfsidekick even at the start. I tried other ways but this file 020 - appinit_dlls:repairs302972943.dll can't be deleted by hijackthis.

    It's getting annoying and I can't get any work done with these annoying pop-ups appearing.

    Thanks in advance
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    1. Download this file :

    http://download.bleepingcomputer.com/sUBs/combofix.exe
    http://www.techsupportforum.com/sectools/combofix.exe

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    ===========================

    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
     
  3. BlueNameless

    BlueNameless Thread Starter

    Joined:
    Mar 31, 2006
    Messages:
    21
    Start Time= Fri 07/21/2006 10:19:46.17
    Running from: C:\Documents and Settings\rozsalie rigon\Desktop

    ((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

    10:21:21.62

    Not all files found by this method are bad. There may be legitimate files found
    This log should be examined by a trained analyst


    * * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


    C:\WINDOWS\System32\yytorm.exe
    C:\WINDOWS\System32\pjksr.exe
    C:\WINDOWS\system32\berwcrq.exe



    No infected Qoologic files found. Reg entries were fixed


    (((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\repairs303169590.dll
    C:\Documents and Settings\rozsalie rigon\Application Data\Sskdmns.dll
    C:\Documents and Settings\rozsalie rigon\Application Data\Sskknwrd.dll
    C:\Documents and Settings\rozsalie rigon\Local Settings\Temporary Internet Files\Ssk.log
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\Program Files\SurfSideKick 3\SskBho.dll
    C:\Program Files\SurfSideKick 3\SskCore.dll
    C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf
    C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-0B8C9B49.pf
    C:\WINDOWS\system32\bk.exe


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    10:22:49.21
    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



    2006-07-21 10:15 266 C:\WINDOWS\xuaui.dll
    2006-07-20 15:23 231 C:\WINDOWS\system.ini
    2006-07-20 15:04 <DIR> C:\Program Files\e2g
    2006-07-20 13:26 53,248 C:\WINDOWS\system32\inicfg32.dll
    2006-07-20 12:49 32,540 C:\WINDOWS\system32\adrot-uninst.exe
    2006-07-20 12:40 32,976 C:\WINDOWS\system32\uninsticn.exe
    2006-07-20 12:37 77,824 C:\WINDOWS\system32\tcmypt.exe
    2006-07-20 12:37 57,344 C:\WINDOWS\kiuj0v.exe
    2006-07-20 12:37 5,632 C:\WINDOWS\pi1_36.exe
    2006-07-20 12:37 45,996 C:\WINDOWS\system32\unirimon.exe
    2006-07-20 12:37 45,056 C:\WINDOWS\system32tfthot.exe
    2006-07-20 12:37 39,424 C:\WINDOWS\mtuninst.exe
    2006-07-20 12:37 380,928 C:\WINDOWS\system32\winnb58.dll
    2006-07-20 12:37 32,768 C:\WINDOWS\unstall.exe
    2006-07-20 12:37 319,294 C:\WINDOWS\yoinsi.exe
    2006-07-20 12:37 28,672 C:\WINDOWS\system32ftuninst.exe
    2006-07-20 12:37 28,672 C:\WINDOWS\system32\hvzead7v.exe
    2006-07-20 12:37 28,672 C:\WINDOWS\system32\ftuninst.exe
    2006-07-20 12:37 248 C:\WINDOWS\mm06y.ini
    2006-07-20 12:37 24,576 C:\WINDOWS\system32\msxml3a.dll
    2006-07-20 12:37 208,896 C:\WINDOWS\system32\v199.dll
    2006-07-20 12:37 2 C:\WINDOWS\system32\wapisvtr.exe
    2006-07-20 12:37 175,362 C:\Program Files\Common Files\elitemediagroupoinuninstaller.exe
    2006-07-20 12:37 156,672 C:\WINDOWS\system32\oins.exe
    2006-07-20 12:37 129,649 C:\WINDOWS\elpp100drop.exe
    2006-07-20 12:37 0 C:\Documents and Settings\rozsalie rigon\Application Data\internaldb41.dat
    2006-07-20 12:37 <DIR> C:\Program Files\elticons
    2006-07-20 12:37 <DIR> C:\Program Files\common files
    2006-07-20 12:37 <DIR> C:\Documents and Settings\rozsalie rigon\Application Data\s?stem ( sstem~1 )
    2006-07-20 12:36 51,712 C:\WINDOWS\system32\fhtoiuc.dll
    2006-07-20 12:36 45,056 C:\WINDOWS\zuckdha.exe
    2006-07-20 12:36 36,864 C:\WINDOWS\thiselt.exe
    2006-07-20 12:36 359,634 C:\WINDOWS\media_motor_bundle.exe
    2006-07-20 12:36 28,672 C:\WINDOWS\system32\pjksr.exe
    2006-07-20 12:36 23,552 C:\WINDOWS\system32\berwcrq.exe
    2006-07-20 12:36 127,488 C:\WINDOWS\system32\yytorm.exe
    2006-07-20 12:32 14,617 C:\WINDOWS\xload.exe
    2006-07-19 10:20 <DIR> C:\Program Files\jade
    2006-07-13 11:30 <DIR> C:\Program Files\winrar
    2006-07-11 15:52 <DIR> C:\Program Files\lavasoft
    2006-07-11 15:52 <DIR> C:\Documents and Settings\rozsalie rigon\Application Data\lavasoft
    2006-07-11 15:50 <DIR> C:\Program Files\bfg
    2006-07-11 11:13 <DIR> C:\Program Files\forms on cd
    2006-07-11 11:12 729,088 C:\WINDOWS\iun6002.exe
    2006-07-03 10:53 24,576 C:\WINDOWS\system32\xd7ehbkw.exe
    2006-07-03 10:53 1,142,784 C:\WINDOWS\system32\bdpn.exe
    2006-06-29 03:24 83,456 C:\WINDOWS\system32\nst31d.dll
    2006-06-21 16:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
    2006-06-21 16:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
    2006-06-20 18:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
    2006-06-19 09:41 <DIR> C:\Program Files\yahoo!
    2006-06-10 15:23 <DIR> C:\Program Files\spybot - search & destroy
    2006-06-10 15:15 <DIR> C:\Program Files\cursorzone
    2006-06-10 14:40 446,826 C:\WINDOWS\system32\perfstringbackup.ini
    2006-06-09 14:41 <DIR> C:\Documents and Settings\rozsalie rigon\Application Data\microsoft
    2006-06-09 14:40 <DIR> C:\Program Files\msn messenger
    2006-06-09 14:37 24,576 C:\WINDOWS\system32\rmoc3260.dll
    2006-06-09 14:37 <DIR> C:\Program Files\hewlett-packard
    2006-06-09 14:36 <DIR> C:\Documents and Settings\rozsalie rigon\Application Data\real
    2006-06-06 09:03 60,416 C:\WINDOWS\system32\adrotate.dll


    (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


    2006-07-20 13:26 53,248 C:\WINDOWS\system32\inicfg32.dll
    2006-07-20 12:49 32,540 C:\WINDOWS\system32\adrot-uninst.exe
    2006-07-20 12:37 77,824 C:\WINDOWS\system32\tcmypt.exe
    2006-07-20 12:37 57,344 C:\WINDOWS\kiuj0v.exe
    2006-07-20 12:37 5,632 C:\WINDOWS\pi1_36.exe
    2006-07-20 12:37 45,996 C:\WINDOWS\system32\UnIrimon.exe
    2006-07-20 12:37 45,056 C:\WINDOWS\System32tfthot.exe
    2006-07-20 12:37 39,424 C:\WINDOWS\mtuninst.exe
    2006-07-20 12:37 32,768 C:\WINDOWS\unstall.exe
    2006-07-20 12:37 319,294 C:\WINDOWS\YOINSI.exe
    2006-07-20 12:37 28,672 C:\WINDOWS\System32ftuninst.exe
    2006-07-20 12:37 28,672 C:\WINDOWS\system32\hvzead7v.exe
    2006-07-20 12:37 28,672 C:\WINDOWS\system32\ftuninst.exe
    2006-07-20 12:37 248 C:\WINDOWS\mm06y.ini
    2006-07-20 12:37 24,576 C:\WINDOWS\system32\xd7ehbkw.exe
    2006-07-20 12:37 24,576 C:\WINDOWS\system32\msxml3a.dll
    2006-07-20 12:37 208,896 C:\WINDOWS\system32\v199.dll
    2006-07-20 12:37 2 C:\WINDOWS\system32\wapisvtr.exe
    2006-07-20 12:37 156,672 C:\WINDOWS\system32\oins.exe
    2006-07-20 12:37 129,649 C:\WINDOWS\elpp100drop.exe
    2006-07-20 12:37 1,142,784 C:\WINDOWS\system32\bdpn.exe
    2006-07-20 12:36 51,712 C:\WINDOWS\system32\fhtoiuc.dll
    2006-07-20 12:36 45,056 C:\WINDOWS\zuckdha.exe
    2006-07-20 12:36 380,928 C:\WINDOWS\system32\WinNB58.dll
    2006-07-20 12:36 36,864 C:\WINDOWS\thiselt.exe
    2006-07-20 12:36 359,634 C:\WINDOWS\media_motor_bundle.exe
    2006-07-20 12:36 32,976 C:\WINDOWS\system32\uninstIcn.exe
    2006-07-20 12:36 28,672 C:\WINDOWS\system32\pjksr.exe
    2006-07-20 12:36 266 C:\WINDOWS\xuaui.dll
    2006-07-20 12:36 23,552 C:\WINDOWS\system32\berwcrq.exe
    2006-07-20 12:36 14,617 C:\WINDOWS\xload.exe
    2006-07-20 12:36 127,488 C:\WINDOWS\system32\yytorm.exe
    2006-06-29 03:24 83,456 C:\WINDOWS\system32\nst31D.dll
    2006-06-21 16:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
    2006-06-21 16:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SoundMan"="SOUNDMAN.EXE"
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "POINTER"="point32.exe"
    "IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
    "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "EssSpkPhone"="essspk.exe"
    "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
    "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "xload"="\"C:\\WINDOWS\\xload.exe\""
    "webHancer Survey Companion"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
    "pop06apelt"="C:\\WINDOWS\\thiselt.exe"
    "ftexc"="C:\\WINDOWS\\System32\\mptft.exe"
    "kSPYv"="\"C:\\WINDOWS\\System32\\bdpn.exe\""
    "pop06ap"="C:\\WINDOWS\\pop06ap2.exe"
    "adstart"="iexplore.exe http://iesettingsupdate"
    "yqxgrk"="C:\\WINDOWS\\System32\\yytorm.exe reg_run"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"
    "Teei"="\"C:\\DOCUME~1\\ROZSAL~1\\APPLIC~1\\SSTEM~1\\msconfig.exe\" -vt mt"
    "tcmypt"="C:\\WINDOWS\\System32\\tcmypt.exe"
    "irssyncd"="C:\\WINDOWS\\System32\\irssyncd.exe"
    "unfhs"="C:\\WINDOWS\\System32\\yytorm.exe reg_run"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
    "flags"=dword:00000008

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
    "tcmypt"="C:\\WINDOWS\\System32\\tcmypt.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
    "tcmypt"="C:\\WINDOWS\\System32\\tcmypt.exe"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



    Contents of the 'Scheduled Tasks' folder

    Completion time: Fri 07/21/2006 10:22:53.01
    ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

    ComboFix.txt

    ==================
    Logfile of HijackThis v1.99.1
    Scan saved at 10:27:34 AM, on 7/21/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\SUPERVOC\PROGRAM\PICPMON.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\xload.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\System32\bdpn.exe
    C:\WINDOWS\System32\xd7ehbkw.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\tcmypt.exe
    C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1\msconfig.exe
    C:\WINDOWS\System32\tcmypt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\rozsalie rigon\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http: \\www.gcscanada.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20069&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20069&k=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pjksr.exe
    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,berwcrq.exe
    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\System32\v199.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"
    O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [Teei] "C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1\msconfig.exe" -vt mt
    O4 - HKCU\..\Run: [tcmypt] C:\WINDOWS\System32\tcmypt.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
    O4 - HKCU\..\RunOnce: [tcmypt] C:\WINDOWS\System32\tcmypt.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http: \\www.gcscanada.com
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.snipernet.us
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.snipernet.us (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://abmls.mlxchange.com/Control/FileCruiser.cab
    O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://abmls.mlxchange.com/Control/Specfile.cab
    O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://abmls.mlxchange.com/Control/SISC.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {56281C46-2A92-45F1-863D-E214733EB2D6} - http://www.cursorzone.com/cursors/cross_setup_td035.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100224077377
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://abmls.mlxchange.com/Control/LiteGrid.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://abmls.mlxchange.com/Control/AspCustomCtrls.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\ROZSAL~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll
    O20 - AppInit_DLLs: inicfg32.dll
    O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg118.dll (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    The pops seem to have stopped for a bit. I rebooted the computer but at the start this website pops up iesettingupdates or something and I think it has something to do with surfside. Anyway to delete that or just run adaware and search and destroy?

    EDIT: Their still occuring but not at the same magnitude as before.

    EDIT2: There seems to be problem running adaware, computer wants to shut down when it touches inicfg32.dll and adaware can't seem to fix it properly.
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    http://www.atribune.org/ccount/click.php?id=7 to download Look2Me-Destroyer.exe and save it to your desktop.
    · Close all windows before continuing.
    · Double-click Look2Me-Destroyer.exe to run it.
    · click the Scan for L2M button, your desktop icons will disappear, this is normal.
    · Once it's done scanning, click the Remove L2M button.
    · You will receive a Done Scanning message, click OK.
    · When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    · Your computer will then shutdown.
    · Turn your computer back on.
    · Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
    =========================

    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
    ===================

    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
     
  5. BlueNameless

    BlueNameless Thread Starter

    Joined:
    Mar 31, 2006
    Messages:
    21
    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 2006-07-21 12:07:03

    Infected! C:\WINDOWS\system32\msg118.dll

    Attempting to delete infected files...

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded
    =========Logfile of HijackThis v1.99.1
    Scan saved at 1:47:12 PM, on 7/21/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\SUPERVOC\PROGRAM\PICPMON.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\System32\bdpn.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\System32\xd7ehbkw.exe
    C:\WINDOWS\System32\tcmypt.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\tcmypt.exe
    C:\PROGRA~1\COMMON~1\CROSOF~1\NLOOKU~1.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\rozsalie rigon\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http: \\www.gcscanada.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pjksr.exe
    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,berwcrq.exe
    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\System32\v199.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [yqxgrk] C:\WINDOWS\System32\yytorm.exe reg_run
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [Teei] "C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1\msconfig.exe" -vt mt
    O4 - HKCU\..\Run: [tcmypt] C:\WINDOWS\System32\tcmypt.exe
    O4 - HKCU\..\Run: [Fcckyn] C:\PROGRA~1\COMMON~1\CROSOF~1\NLOOKU~1.EXE
    O4 - HKCU\..\RunOnce: [tcmypt] C:\WINDOWS\System32\tcmypt.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http: \\www.gcscanada.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.sxload.com
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://abmls.mlxchange.com/Control/FileCruiser.cab
    O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://abmls.mlxchange.com/Control/Specfile.cab
    O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://abmls.mlxchange.com/Control/SISC.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {56281C46-2A92-45F1-863D-E214733EB2D6} - http://www.cursorzone.com/cursors/cross_setup_td035.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100224077377
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://abmls.mlxchange.com/Control/LiteGrid.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://abmls.mlxchange.com/Control/AspCustomCtrls.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\ROZSAL~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll
    O20 - AppInit_DLLs: inicfg32.dll C:\WINDOWS\System32\iexplore.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    Sweeper didn't follow what you exactly said but it deleted some critical adware programs but I couldn't save a summary as it rebooted.

    I'm still suffering popups that are crashing the computer. This is getting ridiculous!
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Please download E2TakeOut by Rubber Ducky from here:

    http://www.malwarebytes.org/E2TakeOut.zip
    · Extract the file to your Desktop
    · Double click E2TakeOut.exe
    · Click the Begin Removal button
    · Wait until the program is finished scanning
    · Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
    · Reboot your computer
    · Once your computer has rebooted E2TakeOut will open and produce a report
    · Please copy/paste that report into your next reply
    =============
    http://www.majorgeeks.com/download5175.html follow the directions there
    ============================
    You may want to print this or save it to notepad as we will go to safe mode.

    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
    =============================

    Fix these with HJT – mark them, close IE, click fix checked

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pjksr.exe

    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,berwcrq.exe

    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\System32\v199.dll

    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe

    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"

    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate

    O4 - HKLM\..\Run: [yqxgrk] C:\WINDOWS\System32\yytorm.exe reg_run

    O4 - HKCU\..\Run: [Teei] "C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1\msconfig.exe" -vt mt

    O4 - HKCU\..\Run: [tcmypt] C:\WINDOWS\System32\tcmypt.exe

    O4 - HKCU\..\Run: [Fcckyn] C:\PROGRA~1\COMMON~1\CROSOF~1\NLOOKU~1.EXE

    O4 - HKCU\..\RunOnce: [tcmypt] C:\WINDOWS\System32\tcmypt.exe


    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\ROZSAL~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll

    O20 - AppInit_DLLs: inicfg32.dll C:\WINDOWS\System32\iexplore.dll


    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\iexplore.dll
    C:\WINDOWS\System32\iexplore.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\System32\bdpn.exe"
    C:\WINDOWS\System32\yytorm.exe
    C:\DOCUME~1\ROZSAL~1\APPLIC~1\SSTEM~1
    C:\PROGRA~1\COMMON~1\CROSOF~1
    C:\WINDOWS\System32\tcmypt.exe


    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  7. BlueNameless

    BlueNameless Thread Starter

    Joined:
    Mar 31, 2006
    Messages:
    21
    Aye

    Logfile of HijackThis v1.99.1
    Scan saved at 5:56:43 PM, on 7/21/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\SUPERVOC\PROGRAM\PICPMON.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\rozsalie rigon\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http: \\www.gcscanada.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http: \\www.gcscanada.com
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://abmls.mlxchange.com/Control/FileCruiser.cab
    O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://abmls.mlxchange.com/Control/Specfile.cab
    O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://abmls.mlxchange.com/Control/SISC.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {56281C46-2A92-45F1-863D-E214733EB2D6} - http://www.cursorzone.com/cursors/cross_setup_td035.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100224077377
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://abmls.mlxchange.com/Control/LiteGrid.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://abmls.mlxchange.com/Control/AspCustomCtrls.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    The system seems fine now, the iesettingsupdate is no longer bugging me and the pop-ups seem to have stopped and hopefully that'll stay.

    Qoofix
    Qoofix v1.02 by http://www.malwarebytes.org
    Scan started on [7/21/2006] at [5:27:58 PM]
    -------------------------------------------------------------
    No malicious modules found!
    -------------------------------------------------------------
    No Qoologic infected files found!
    -------------------------------------------------------------
    Scan COMPLETED SUCCESSFULLY on [7/21/2006] at [5:29:24 PM]

    Note: Some registry keys may have been removed.


    E2Takeout
    E2TakeOut v1.01 [http://www.malwarebytes.org]

    Removed! C:\WINDOWS\System32\inicfg32.dll
    Removed directory and files! C:\Program Files\E2G
    Removed orphaned leftovers
    AppInit key reset

    Personally, I think the methods you proposed starting with the Spysweeper was what took this down. These last methods you proposed appear to have "cleaned up" the mess left behind.

    Thank you

    I'm going to give this a few more hours and wait and see if there are anymore pop-ups just in case before I tick solved.
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved HIJACKTHIS keep
  1. hfrei
    Replies:
    1
    Views:
    461
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/484906

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice