1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: internet explorer/trojans

Discussion in 'Virus & Other Malware Removal' started by tooearly80, Jun 29, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    Hello,
    I use Firefox exclusively and have not touched Internet Explorer for about 18 months. However, lately I've been getting pop-ups (campusdirt, jack9, eBay, antivirus software, etc) from out of nowhere in IE windows. I have AntiVir Guard and it keeps alerting me to trojan horses, which I quarantine. I recently downloaded HJT and ran a scan. The log is below.

    Hope someone can help!

    Logfile of HijackThis v1.99.1
    Scan saved at 3:39:48 PM, on 6/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\djciimqm.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\yxabwfcm.dll",realset
    O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\djciimqm.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.drivecleaner.com
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantispyware.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.drivecleaner.com (HKLM)
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantispyware.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\djciimqm.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    YOur Ewido is out of date and has been replaced with AVG AS 7.5 (Not their AV)
    http://www.ewido.net/en/download/

    ==============================
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall
    ====================

    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.
     
  3. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    Hello,

    I did what you asked! The first post is the combofix log, and the second post is the SuperAntiSpyware and HiJackThis logs.


    ComboFix 07-06-18.2 - C:\Documents and Settings\Jason\Desktop\ComboFix.exe
    "Jason" - 2007-06-29 22:15:01 - Service Pack 2 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\geedd.dll
    C:\WINDOWS\system32\lryrgvba.dll
    C:\WINDOWS\system32\lvmqwneg.dll
    C:\WINDOWS\system32\rbjrrmrk.dll
    C:\WINDOWS\system32\sjqqfmci.dll
    C:\WINDOWS\system32\wnsowolj.dll
    C:\WINDOWS\system32\yxabwfcm.dll
    C:\WINDOWS\SYSTEM32\ddeeg.ini
    C:\WINDOWS\SYSTEM32\abvgryrl.ini
    C:\WINDOWS\SYSTEM32\genwqmvl.ini
    C:\WINDOWS\SYSTEM32\krmrrjbr.ini
    C:\WINDOWS\SYSTEM32\icmfqqjs.ini
    C:\WINDOWS\SYSTEM32\nqstv.bak1
    C:\WINDOWS\SYSTEM32\nqstv.bak2
    C:\WINDOWS\SYSTEM32\nqstv.ini2
    C:\WINDOWS\SYSTEM32\jlowosnw.ini
    C:\WINDOWS\SYSTEM32\mcfwbaxy.ini
    C:\WINDOWS\SYSTEM32\nqstv.bak1
    C:\WINDOWS\SYSTEM32\nqstv.bak2
    C:\WINDOWS\SYSTEM32\nqstv.ini2
    C:\WINDOWS\SYSTEM32\nqstv.bak1
    C:\WINDOWS\SYSTEM32\nqstv.bak2
    C:\WINDOWS\SYSTEM32\nqstv.ini2
    C:\WINDOWS\system32\vtsqn.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\info.txt
    C:\WINDOWS\tool3.exe
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CORE
    -------\core


    ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


    2007-06-29 22:12 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-28 06:28 2,580 --a------ C:\WINDOWS\SYSTEM32\jfajjfeu.exe
    2007-06-27 21:54 122,900 --a------ C:\WINDOWS\SYSTEM32\djciimqm.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-17 23:05:01 -------- d-----w C:\Program Files\Soulseek
    2007-06-13 16:14:41 -------- d-----w C:\DOCUME~1\Jason\APPLIC~1\U3
    2007-06-12 22:04:17 -------- d-----w C:\Program Files\Google
    2007-06-12 22:04:17 -------- d-----w C:\Program Files\FlashGet
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-14 05:09:57 24 ----a-w C:\WINDOWS\system32\sysogg.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2005-01-15 05:51:23 0 -csha-w C:\WINDOWS\atzbd.dll
    2004-11-28 18:11:45 5,784 -csha-w C:\WINDOWS\winkf32.exe
    2004-08-16 10:50:00 0 -csha-w C:\WINDOWS\SYSTEM32\nvhfk.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-26 17:34]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-02-19 07:36]
    "MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WheresJames Startup Manager"="C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe" [2005-12-29 21:41]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
    "DDC"="C:\WINDOWS\system32\djciimqm.exe" [2007-06-27 21:55]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoColorChoice"=0 (0x0)
    "NoSizeChoice"=0 (0x0)
    "NoDispScrSavPage"=0 (0x0)
    "NoDispCPL"=0 (0x0)
    "NoVisualStyleChoice"=0 (0x0)
    "NoDispSettingsPage"=0 (0x0)
    "NoDispAppearancePage"=0 (0x0)
    "NoDispBackgroundPage"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoActiveDesktopChanges"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSaveSettings"=0 (0x0)
    "NoThemesTab"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\WINDOWS\desktop.html
    FriendlyName= Security

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-11-15 12:12]
    "{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 07:21]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avinet]
    C:\WINDOWS\avinet.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayxy]
    ddcayxy.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuts]
    vtuts.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start

    Menu^Programs^Startup^Digital Line Detect.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start

    Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start

    Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start

    Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53ES34R]
    psa32spl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    C:\Program Files\AIM\aim.exe -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader5wxu1OMgMbLV]
    "C:\WINDOWS\System32\psa32spl.exe" /PC="CP.IST" /ShowLegalNote="nonbranded" /UninstallName="CtxPls"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d3ic32.exe]
    C:\WINDOWS\d3ic32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
    "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel system tool]
    C:\WINDOWS\System32\hookdump.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\K0x2RQdqX]
    dmdpstui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    C:\WINDOWS\System32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntax32.exe]
    C:\WINDOWS\system32\ntax32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntpi32.exe]
    C:\WINDOWS\system32\ntpi32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    "C:\Program Files\Dell\Media Experience\PCMService.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdkge.exe]
    C:\WINDOWS\system32\sdkge.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
    "C:\Program Files\JUSearch\juspc.exe" -w

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysco.exe]
    C:\WINDOWS\system32\sysco.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMemory manager]
    c:\windows\system32\mdms.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\User Manager]
    C:\WINDOWS\system32\Cat\csrss.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
    RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service]
    C:\WINDOWS\System32\prvdi.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    C:\Program Files\Microsoft Works\wkfud.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    AutoRun\command- E:\LaunchU3.exe -a

    *Newly Created Service* - ALG
    *Newly Created Service* - IPNAT

    Contents of the 'Scheduled Tasks' folder
    2007-06-26 16:24:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2004-02-25 00:24:14 C:\WINDOWS\tasks\ISP signup reminder 1.job
    2007-06-30 03:37:12 C:\WINDOWS\tasks\McAfee.com Update Check (D6C5VD41-Owner).job
    2007-06-30 03:37:16 C:\WINDOWS\tasks\McAfee.com Update Check (MONKEY-Britt).job
    2007-06-30 03:31:03 C:\WINDOWS\tasks\McAfee.com Update Check (MONKEY-Jason).job
    2004-10-03 20:28:11 C:\WINDOWS\tasks\WebReg 20041003162811.job
    2005-06-14 00:16:05 C:\WINDOWS\tasks\WebReg 20050613201605.job
    2007-03-25 23:01:32 C:\WINDOWS\tasks\WebReg 20070325180131.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-29 22:36:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    ? [776]


    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************

    Completion time: 2007-06-29 22:41:21 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-06-29 22:40

    --- E O F ---
     
  4. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/30/2007 at 08:13 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 10:14:08

    Memory items scanned : 449
    Memory threats detected : 1
    Registry items scanned : 10678
    Registry threats detected : 38
    File items scanned : 71779
    File threats detected : 77

    Adware.eZula
    C:\WINDOWS\SYSTEM32\DJCIIMQM.EXE
    C:\WINDOWS\SYSTEM32\DJCIIMQM.EXE

    Parasite.CoolWebSearch Variant
    HKLM\Software\Classes\CLSID\{21E6263F-2874-5A1C-6D04-EE75E88DF9A5}
    HKCR\CLSID\{21E6263F-2874-5A1C-6D04-EE75E88DF9A5}
    HKCR\CLSID\{21E6263F-2874-5A1C-6D04-EE75E88DF9A5}\Data

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{A4838A56-770B-27B8-30FD-9B8732D6F5CE}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
    HKCR\CLSID\{A4838A56-770B-27B8-30FD-9B8732D6F5CE}
    HKCR\CLSID\{A4838A56-770B-27B8-30FD-9B8732D6F5CE}\Data

    Trojan.DELF-NJ
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{6AC3806F-8B39-4746-9C38-6B01CB7331FF}

    ClientMan BHO
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

    Browser Hijacker.Internet Explorer Zone Hijack
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com#*
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com#*
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com#*
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com#*
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com#*
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com#*
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\amaena.com
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\amaena.com#*
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\errorsafe.com
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\errorsafe.com#*
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\imagesrvr.com
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\imagesrvr.com#*
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\winantispyware.com
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\winantispyware.com#*
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\winantivirus.com
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\winantivirus.com#*
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\winfixer.com
    HKU\S-1-5-21-2794210558-3710659932-3734742370-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\ZoneMap\Domains\winfixer.com#*

    Adware.Tracking Cookie
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected]k[2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][3].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected]=1_[2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected]=0_[3].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected]=0_[2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][1].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\cookies\[email protected][2].txt
    C:\Documents and Settings\Jason\Cookies\[email protected][2].txt

    Trojan.SmartFinder
    HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}
    HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\Data
    HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\LocalServer32

    Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
    HKLM\Software\WinAntiVirus Pro 2007
    HKLM\Software\WinAntiVirus Pro 2007#EulUWA7P_0001_N91M0809

    Adware.Viewpoint Toolbar
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA7P_0001_N91M0809NETINSTALLER.EXE

    Trojan.PSA3D
    C:\WINDOWS\SYSTEM32\PS.A3D


    Logfile of HijackThis v1.99.1
    Scan saved at 8:28:08 AM, on 6/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\djciimqm.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak

    Software Updater.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint

    Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O15 - Trusted Zone: *.drivecleaner.com
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.drivecleaner.com (HKLM)
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

    http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft

    Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avinet - C:\WINDOWS\avinet.dll (file missing)
    O20 - Winlogon Notify: ddcayxy - ddcayxy.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: vtuts - vtuts.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir

    PersonalEdition Classic\avguard.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\djciimqm.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc -

    C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You did not get the new Ewido (AVG AS 7.5)

    ============
    Next log - In notepad - go to FORMAT and uncheck Wordwrap


    ----------------------------

    download http://www.mvps.org/winhelp2002/DelDomains.inf with I.E.

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
    ===============
    Add remove programs – remove all occurrences of Viewpoint
    ============
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HiJackThis – mark them, close IE, click fix checked

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\djciimqm.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft

    O20 - Winlogon Notify: avinet - C:\WINDOWS\avinet.dll (file missing)

    O20 - Winlogon Notify: ddcayxy - ddcayxy.dll (file missing)

    O20 - Winlogon Notify: vtuts - vtuts.dll (file missing)

    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\djciimqm.exe (file missing)
    ============
    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find this exact name

    DomainService

    Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

    ============
    DownLoad Killbox from one of these links

    http://www.downloads.subratam.org/KillBox.zip or
    http://www.thespykiller.co.uk/files/killbox.exe

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\system32\djciimqm.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  6. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    Okay, I downloaded and installed the latest version of Ewido.

    The second link you provided (http://www.mvps.org/winhelp2002/DelDomains.inf) takes me to a new window with the following text information. I don't see anything that I can right click and download.

    ; DelDomains.inf © 11-28-04 | Revised 01-15-06
    ; Created by: Mike Burgess Microsoft MVP
    ; http://mvps.org/winhelp2002/
    ;
    ; Warning: Deletes all entries in the Restricted & Trusted Zone list
    ; http://mvps.org/winhelp2002/restricted.htm
    ;
    ; Revised to include the EscDomains key
    ;
    ; To execute this file: in Explorer - right-click (this file)
    ; Select Install from the Menu.
    ; Note: you will not see any onscreen action.

    [version]
    signature="$CHICAGO$"

    [DefaultInstall]
    DelReg=DelTemps
    AddReg=AddTemps

    [DelTemps]
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

    ; Recreate the keys to avoid a restart

    [AddTemps]
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

    Since my last two posts, I have experienced NO pop ups. So far, so good!
     
  7. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    Nevermind! I figured out how to install the DelDomains.inf file. I'll give you an update soon.
     
  8. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    Okay, hopefully I did everything I needed to do this time. Below is the latest HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:08:43 PM, on 6/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    Still no pop ups and everything seems to be running smoothly.
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  10. tooearly80

    tooearly80 Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    9
    Done and done! Thanks a million for all your help! Everything is running ridiculously smoothly again with no pop ups.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/590000

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice