Just another &quot;Best Offer&quot; Need for Help!

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Alright - you have several problems with that log just to let you know. It will more than likely take several passes to get it all.

First place I need you to start is download the following tools for me

You can actually use Best Offers Uninstaller here
http://www.bestoffersnetworks.com/uninstall/

CWShredder
http://malwareteks.com/dload.php?action=download&file_id=36

CCleaner
http://www.filehippo.com/download/51b30b1401c95091feb32bb89cfe8bbe/download.html

Ad-Aware SE Personal
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-2

Spybot Search and Destroy
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Ewido
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1

Spysweeper
http://www.malwareteks.com/dload.php?action=download&file_id=5

Pocket Killbox
http://bleepingcomputer.com/files/spyware/KillBox.zip
-Unzip to its own folder

Now since you have Windows XP - I want us to start in Safe Mode with Networking
-Restart your PC
-Repeatedly tap F8 before the "Loading Windows" screen appears
-Choose Safe Mode with Networking
-You will see the screen scroll down - this is normal

Now on to the cleaning...

Open up CCleaner first
-run ONLY the default scan (Windows Tab). Do Not “Scan For Issues unless specifically asked to do so!
-Simply open it and choose Run Cleaner

Open CWShedder
-Run it and let it remove anything it finds

Open Ad-Aware
-Allow it to update to the latest definitions
-Run it and remove everything it finds

Open Spybot
-Allow it to update
-Run it and fix what it finds

Open Ewido
-Click Update>Start Update
-Run it and remove everything it finds
-Save the report at the end and attach it for me when you return

Now Reboot back into Normal Mode

Open Spysweeper
-Allow it to update then run a Sweep
-Let it remove everything it finds
-Please save this log for me and attach it

Now run Kaspersky Online Scanner
http://www.kaspersky.com/scanforvirus.html

Save the log and attach it for me as well.

If you can not get these logs in one post that is fine, use as many posts as necessary.

I need the followingEwido Scan Report
Spysweepers log
Kaspersky's log
New HijackThis log
If you run into trouble with a particular step, just skip it and move on. Let me know when you return any problems you may have encountered

Good Luck :)

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

So this has been a very long process but here are the first two logs for you:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:52:31 PM, 3/15/2006
+ Report-Checksum: 8312C154

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0DB27B81-1712-7464-869A-0E16A2436BED} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3ADF6E21-B4FD-8BC8-10C3-A9846D3FEC69} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7507739F-BC2E-4DC3-B233-816783C25DC9} -> Downloader.Delf : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cliks[4].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cliks[5].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cliks[7].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cliks[8].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cliks[9].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Program Files\mozilla.org\Mozilla\plugins\npzango.dll -> Adware.WinAD : Cleaned with backup
C:\Program Files\TBONBin -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\tbon.exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\TBONInst.cfg -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\TBONUnst.htm -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\TBONWnd.EXE -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\Uninstall.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP498\A0136819.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP498\A0136820.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP498\A0136823.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP499\A0137807.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP500\A0138807.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP502\A0141806.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0141830.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0145420.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0145645.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0145649.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0145787.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0145789.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP503\A0145790.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP504\A0145952.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP504\A0145954.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP504\A0145957.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP504\A0149001.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP504\A0149004.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP504\A0149009.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0149140.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0149143.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0152114.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0152116.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0152117.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0152120.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0152122.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0152124.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0153906.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0153919.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP505\A0153922.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0154150.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0157682.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0157685.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0157687.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0157688.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0159718.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0159720.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0159721.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0161705.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0161707.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0161708.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0161709.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0161711.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0161713.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0164064.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0164074.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0165104.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0165155.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0166151.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP507\A0167151.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP508\A0168151.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP509\A0169151.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP510\A0169501.dll -> Adware.Ihbo : Cleaned with backup
C:\WINDOWS\SYSTEM32\evziw.dll -> Adware.WurldMedia : Cleaned with backup

::Report End

And the Spysweepers:

********
9:59 PM: | Start of Session, Wednesday, March 15, 2006 |
9:59 PM: Spy Sweeper started
9:59 PM: Sweep initiated using definitions version 556
9:59 PM: Starting Memory Sweep
10:02 PM: Memory Sweep Complete, Elapsed Time: 00:03:35
10:02 PM: Starting Registry Sweep
10:02 PM: Found Adware: clipgenie
10:02 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\clipgenie\ (2 subtraces) (ID = 105921)
10:02 PM: Found Adware: coolwebsearch (cws)
10:02 PM: HKCR\interface\{c19eb5b1-fc58-456e-8793-384532ed5970}\ (8 subtraces) (ID = 108398)
10:02 PM: HKLM\software\classes\interface\{c19eb5b1-fc58-456e-8793-384532ed5970}\ (8 subtraces) (ID = 109776)
10:02 PM: Found Adware: cws mastersearch hijacker
10:02 PM: HKCR\clsid\{869ee607-5376-486d-8dac-edc8e239ad5f}\ (2 subtraces) (ID = 117459)
10:02 PM: HKLM\software\classes\clsid\{869ee607-5376-486d-8dac-edc8e239ad5f}\ (2 subtraces) (ID = 117461)
10:02 PM: HKLM\software\microsoft\internet explorer\extensions\{869ee607-5376-486d-8dac-edc8e239ad5f}\ (1 subtraces) (ID = 117462)
10:02 PM: Found Adware: cws_ns3
10:02 PM: HKCR\clsid\{50b9d537-5db0-52b1-ff6f-ed6c70da477e}\ (2 subtraces) (ID = 118189)
10:02 PM: HKLM\software\classes\clsid\{50b9d537-5db0-52b1-ff6f-ed6c70da477e}\ (2 subtraces) (ID = 120046)
10:02 PM: Found Adware: cws searchpage.html hijack
10:02 PM: HKLM\software\microsoft\internet explorer\ || search (ID = 123515)
10:03 PM: Found Adware: heretofind
10:03 PM: HKCR\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (2 subtraces) (ID = 127065)
10:03 PM: Found Adware: spad
10:03 PM: HKCR\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (2 subtraces) (ID = 127065)
10:03 PM: HKLM\software\microsoft\internet explorer\extensions\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (1 subtraces) (ID = 127105)
10:03 PM: HKLM\software\microsoft\internet explorer\extensions\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (1 subtraces) (ID = 127105)
10:03 PM: HKLM\software\classes\clsid\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (2 subtraces) (ID = 127120)
10:03 PM: Found Adware: instant access
10:03 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\egdial.dll (ID = 128823)
10:03 PM: Found Adware: safesurf
10:03 PM: HKLM\software\microsoft\windows\currentversion\ || np (ID = 140392)
10:03 PM: Found Adware: scbar
10:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\data compiler\ (2 subtraces) (ID = 140509)
10:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\indexing function\ (2 subtraces) (ID = 140510)
10:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sbm os\ (2 subtraces) (ID = 140511)
10:03 PM: Found Adware: screensavers
10:03 PM: HKLM\software\screensavers.com\ (ID = 140569)
10:03 PM: Found Adware: websearch toolbar
10:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_esies\ (4 subtraces) (ID = 146511)
10:03 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
10:03 PM: Found Adware: wurldmedia
10:03 PM: HKCR\appid\sostatatl.exe\ (1 subtraces) (ID = 147535)
10:03 PM: HKCR\appid\{dee5d795-a276-43b5-a04a-511149a354f0}\ (1 subtraces) (ID = 147536)
10:03 PM: HKCR\interface\{9603a736-05b9-4d78-bdd5-bdcb0914e522}\ (8 subtraces) (ID = 147565)
10:03 PM: Found Adware: rx toolbar
10:03 PM: HKCR\typelib\{05563f82-69a7-40a6-8670-153b635a7ef6}\ (9 subtraces) (ID = 729573)
10:03 PM: HKLM\software\classes\typelib\{05563f82-69a7-40a6-8670-153b635a7ef6}\ (9 subtraces) (ID = 729652)
10:03 PM: Found Adware: cws-aboutblank
10:03 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
10:03 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\internet explorer\extensions\{869ee607-5376-486d-8dac-edc8e239ad5f}\ (1 subtraces) (ID = 117460)
10:03 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\internet explorer\ || search (ID = 123514)
10:03 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\internet explorer\extensions\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (1 subtraces) (ID = 127080)
10:03 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\internet explorer\extensions\{237aa178-c3bc-4f67-a8bb-d8bc14ba0b89}\ (1 subtraces) (ID = 127080)
10:03 PM: Registry Sweep Complete, Elapsed Time:00:00:46
10:03 PM: Starting Cookie Sweep
10:03 PM: Found Spy Cookie: advertising cookie
10:03 PM: [email]owner@advertising[1].txt[/email] (ID = 2175)
10:03 PM: Found Spy Cookie: atlas dmt cookie
10:03 PM: [email]owner@atdmt[2].txt[/email] (ID = 2253)
10:03 PM: Found Spy Cookie: a cookie
10:03 PM: [email]owner@a[1].txt[/email] (ID = 2027)
10:03 PM: [email]owner@a[4].txt[/email] (ID = 2027)
10:03 PM: Found Spy Cookie: offeroptimizer cookie
10:03 PM: [email]owner@offeroptimizer[2].txt[/email] (ID = 3087)
10:03 PM: [email]owner@offeroptimizer[3].txt[/email] (ID = 3087)
10:03 PM: [email]owner@offeroptimizer[4].txt[/email] (ID = 3087)
10:03 PM: [email]owner@offeroptimizer[7].txt[/email] (ID = 3087)
10:03 PM: Found Spy Cookie: realmedia cookie
10:03 PM: [email]owner@realmedia[2].txt[/email] (ID = 3235)
10:03 PM: Found Spy Cookie: trafficmp cookie
10:03 PM: [email]owner@trafficmp[1].txt[/email] (ID = 3581)
10:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:03 PM: Starting File Sweep
10:04 PM: Found Adware: apropos
10:04 PM: wingenerics.dll (ID = 50187)
10:05 PM: Found Adware: cws_tiny0
10:05 PM: tmupdate.ini:rjteb (ID = 56904)
10:05 PM: ~glh0000.tmp:egqly (ID = 56904)
10:05 PM: ~glh0000.tmp:oewrc (ID = 56904)
10:05 PM: ~glh0000.tmp:rygqah (ID = 56887)
10:06 PM: Found Adware: abetterinternet
10:06 PM: bii.inf (ID = 83197)
10:16 PM: File Sweep Complete, Elapsed Time: 00:12:49
10:16 PM: Full Sweep has completed. Elapsed time 00:17:20
10:16 PM: Traces Found: 132
********
9:56 PM: | Start of Session, Wednesday, March 15, 2006 |
9:56 PM: Spy Sweeper started
9:58 PM: Updating spyware definitions
9:58 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
9:59 PM: Updating spyware definitions
9:59 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
9:59 PM: | End of Session, Wednesday, March 15, 2006 |

The Kaspersky scan is just finishing up and then I will send it as well as the new HiJackThis log.

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Oh...also:
I was unable to do CWShredder. For some reason it did not download right.

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Here are the Kaspersky Logs and the final HijackThis log:
(A couple problems-- When it was complete, I had lost almost all the icons off my desktop. Also, I pay for Acceleration Anti-virus Software every month and the scans that you suggested wiped that off my programs.)
KASPERSKY ON-LINE SCANNER REPORT
Thursday, March 16, 2006 12:47:51 AM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/03/2006
Kaspersky Anti-Virus database records: 171674

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 87788
Number of viruses found 4
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 02:11:38

Infected Object Name Virus Name Last Action
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP510\A0169659.ini:rjteb:$DATA Infected: Trojan-Downloader.Win32.Agent.an skipped

C:\WINDOWS\SYSTEM32\cnbsasn1.exe Infected: Trojan.Win32.Crypt.t skipped

C:\WINDOWS\SYSTEM32\nmerprof.dll Infected: Trojan.Win32.Crypt.t skipped

C:\WINDOWS\SYSTEM32\remove_it.dll Infected: Trojan.Win32.StartPage.ld skipped

C:\WINDOWS\~GLH0000.TMP:jzyvu:$DATA Infected: Trojan-Downloader.Win32.Agent.an skipped

C:\WINDOWS\~GLH0000.TMP:zorxkr:$DATA Infected: Trojan.Win32.Agent.bi skipped

Scan process completed.

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 12:49:47 AM, on 3/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Wave Wireless\Client Manager\cm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ipnb.exe] C:\WINDOWS\system32\ipnb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [37372al0] C:\WINDOWS\System32\37372al0.exe
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [bO²ùðY×y-¯Œ] C:\WINDOWS\yqyxxsx.exe
O4 - HKLM\..\Run: [Bc6w] C:\WINDOWS\yqyxxsx.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoopService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Client Manager.lnk = C:\Program Files\Wave Wireless\Client Manager\cm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131749754187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4713/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD2AF26-8872-48A6-84A7-7BD36CD9ED4C}: NameServer = 204.117.214.10,216.163.120.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Now what?
Thanks,
Debbie

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Did you not let Spysweeper remove what it found? It does not show any signs of quarantining any files...have you used the trial period before?

If you did not get an option to remove, uninstall Spysweeper and reinstall from here
http://www.ianag.com/files/14/SpySweeperTrialSetup_EN-MajorGeeks.exe

Also...try and download CWShredder again from here
http://www.intermute.com/products/cwshredder.html

Afterwards please attach
-CWShredder log
-New Spysweeper log
-New HijackThis log

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

Okay, I hope this is right.
CWShredder log ( I don't think this is what you want...):
CWShredder Log:

**** Run Keys ****

RUN: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
RUN: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
RUN: [ipnb.exe] C:\WINDOWS\system32\ipnb.exe
RUN: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
RUN: [hpsysdrv] c:\windows\system\hpsysdrv.exe
RUN: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
RUN: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
RUN: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
RUN: [37372al0] C:\WINDOWS\System32\37372al0.exe
RUN: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
RUN: [bO²ùðY×y-¯Œ] C:\WINDOWS\yqyxxsx.exe
RUN: [Bc6w] C:\WINDOWS\yqyxxsx.exe
RUN: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
RUN: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
RUN: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
RUN: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
RUN: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
RUN: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
RUN: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe

**** Browser Helper Objects ****

BHO: [] C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx

**** IE Extensions ****

IEExt: []
IEExt: [MoneySide]
IEExt: [Microsoft® JavaScript® Console]
IEExt: [Messenger] C:\Program Files\Messenger\MSMSGS.EXE

**** Hosts File Entries ****

**** IE Settings ****

IEBypass: localhost
Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default Search: C:\WINDOWS\System32\search.html
Local Page: C:\WINDOWS\System32\blank.htm
Search Bar: http://home.microsoft.com/search/lobby/search.asp
Search Page: http://home.microsoft.com/access/allinone.asp

**** IE Context Menu (Right click) ****

IEContext: [Save with Download Manager...] C:\Program Files\J River\Media Jukebox\DMDownload.htm

**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CD2AF26-8872-48A6-84A7-7BD36CD9ED4C}] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CD2AF26-8872-48A6-84A7-7BD36CD9ED4C}] DATAGRAM 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2328847D-FF56-408B-857B-441E804EC2BD}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2328847D-FF56-408B-857B-441E804EC2BD}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{01D1C6CD-6D44-46B6-BA89-10155A459FBE}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{01D1C6CD-6D44-46B6-BA89-10155A459FBE}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CF20E463-EBE1-48F3-995E-7BAA1D7E296D}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CF20E463-EBE1-48F3-995E-7BAA1D7E296D}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{874F9E79-A321-42A3-B363-99109DF254C5}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{874F9E79-A321-42A3-B363-99109DF254C5}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A4DEE6B5-1EB7-428F-BFE9-A53E98895B7C}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A4DEE6B5-1EB7-428F-BFE9-A53E98895B7C}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66ED3BFB-C405-4F02-97E9-68673A390962}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66ED3BFB-C405-4F02-97E9-68673A390962}] DATAGRAM 5

**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No

**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [http://www.apple.com/qtactivex/qtplugin.cab]
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab]
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab]
{205FF73B-CA67-11D5-99DD-444553540013} [http://adserver.sharewareonline.com/adserver/Install.cab] C:\WINDOWS\Downloaded Program Files\Install.dll
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} [C:\Program Files\Yahoo!\Common\yinsthelper.dll] C:\Program Files\Yahoo!\Common\yinsthelper.dll
{33564D57-0000-0010-8000-00AA00389B71} [http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB]
{49232000-16E4-426C-A231-62846947304B} [http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab] C:\WINDOWS\Downloaded Program Files\SysInfo.dll
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} [http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab]
{6414512B-B978-451D-A0D8-FCFDF33E833C} [http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131749754187]
{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} [http://zone.msn.com/bingame/luxr/default/mjolauncher.cab]
{B8BE5E93-A60C-4D26-A2DC-220313175592} [http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} [http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab]
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab]
{E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} [http://download.abacast.com/download/files/abasetup141.cab]
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4713/mcfscan.cab]

**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[Autodesk Licensing Service] "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[ewido security suite control] C:\Program Files\ewido anti-malware\ewidoctrl.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\fxssvc.exe
[FWService] C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe -Service
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[IDriverT] "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
[ImapiService] C:\WINDOWS\System32\imapi.exe
[iPodService] C:\Program Files\iPod\bin\iPodService.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[Pml Driver HPZ12] C:\WINDOWS\System32\HPZipm12.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{9BC5B651-952C-4947-AC46-563D2749C8A0}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\System32\wdfmgr.exe
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[svcWRSSSDK] C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://www.microsoft.com/isapi/redir.dll?
SEARCH: [CustomizeSearch] http://ie.search.msn.com/en-us/srchasst/srchcust.htm
SEARCH: [] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CU] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.msn.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://home.microsoft.com/access/allinone.asp
IEOPT: [Check_Associations] yes
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Use FormSuggest] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open]
IEOPT: [Use Search Assistant] no
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [LastCheckedHi] `2Æ
IEOPT: [Use Search Asst]
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [WindowPosition]
IEOPT: [Default_Search_URL] http://search.msn.com
IEOPT: [FormSuggest Passwords] yes
IEOPT: [FormSuggest PW Ask] no
IEOPT: [AutoSearch]
IEOPT: [SearchURL]
IEOPT: [HistoryViewType]
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [Default_Page_URL]
IEOPT: [CustomizeSearch]
IEOPT: [SearchAssistant]
IEOPT: [SearchBar]
IEOPT: [Start Page_bak]
IEOPT: [Search Bar] http://home.microsoft.com/search/lobby/search.asp
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IEOPT: [Default_Search_URL] C:\WINDOWS\System32\search.html
IEOPT: [Search Page] C:\WINDOWS\System32\search.html
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\System32\search.html
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [Search Bar] http://ie.search.msn.com/en-us/srchasst/srchasst.htm
IEOPT: [FullScreen] no
IEOPT: [Use Custom Search URL]
IEOPT: [Use Search Assistant] yes
IEOPT: [] yes
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [CustomizeSearch] yes
IEOPT: [SearchAssistant] http://ie.search.msn.com/en-us/srchasst/srchasst.htm
IEOPT: [IEWatsonEnabled]
IEOPT: [Check_Associations] yes

Next (Spysweeper log) Swept and Removed:
********
4:12 PM: | Start of Session, Thursday, March 16, 2006 |
4:12 PM: Spy Sweeper started
4:12 PM: Sweep initiated using definitions version 635
4:12 PM: Starting Memory Sweep
4:18 PM: Memory Sweep Complete, Elapsed Time: 00:06:08
4:18 PM: Starting Registry Sweep
4:19 PM: Found Adware: directrevenue-thebestoffersnetwork
4:19 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tbon\ (7 subtraces) (ID = 826503)
4:19 PM: Found Trojan Horse: trojan-downloader-2pursuit
4:19 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {1b68470c-2def-493b-8a4a-8e2d81be4ea5} (ID = 910513)
4:19 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\st3\ (10 subtraces) (ID = 910519)
4:19 PM: Found Adware: highdialer hijack
4:19 PM: HKLM\software\microsoft\internet explorer\main\ || default_search_url (ID = 1057101)
4:19 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 1057102)
4:19 PM: HKLM\software\microsoft\internet explorer\main\ || local page (ID = 1057453)
4:19 PM: HKLM\software\microsoft\internet explorer\main\ || local page (ID = 1134875)
4:19 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\tbon\ (43 subtraces) (ID = 826461)
4:19 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\st3\ (11 subtraces) (ID = 910473)
4:19 PM: Found Adware: big fish games toolbar
4:19 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (ID = 941730)
4:19 PM: HKU\S-1-5-21-2885428501-3646499915-426764551-1003\software\microsoft\gsgs\ (131 subtraces) (ID = 1032011)
4:19 PM: Registry Sweep Complete, Elapsed Time:00:00:46
4:19 PM: Starting Cookie Sweep
4:19 PM: Found Spy Cookie: yieldmanager cookie
4:19 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
4:19 PM: Found Spy Cookie: pointroll cookie
4:19 PM: owner@ads.pointroll[2].txt (ID = 3148)
4:19 PM: Found Spy Cookie: advertising cookie
4:19 PM: owner@advertising[2].txt (ID = 2175)
4:19 PM: Found Spy Cookie: atlas dmt cookie
4:19 PM: owner@atdmt[1].txt (ID = 2253)
4:19 PM: Found Spy Cookie: burstnet cookie
4:19 PM: owner@burstnet[2].txt (ID = 2336)
4:19 PM: Found Spy Cookie: casalemedia cookie
4:19 PM: owner@casalemedia[1].txt (ID = 2354)
4:19 PM: Found Spy Cookie: mediaplex cookie
4:19 PM: owner@mediaplex[2].txt (ID = 6442)
4:19 PM: Found Spy Cookie: 2o7.net cookie
4:19 PM: owner@msnportal.112.2o7[1].txt (ID = 1958)
4:19 PM: Found Spy Cookie: realmedia cookie
4:19 PM: owner@realmedia[1].txt (ID = 3235)
4:19 PM: Found Spy Cookie: adjuggler cookie
4:19 PM: owner@rotator.adjuggler[1].txt (ID = 2071)
4:19 PM: Found Spy Cookie: serving-sys cookie
4:19 PM: owner@serving-sys[2].txt (ID = 3343)
4:19 PM: Found Spy Cookie: tradedoubler cookie
4:19 PM: owner@tradedoubler[1].txt (ID = 3575)
4:19 PM: Found Spy Cookie: trafficmp cookie
4:19 PM: owner@trafficmp[1].txt (ID = 3581)
4:19 PM: Found Spy Cookie: burstbeacon cookie
4:19 PM: owner@www.burstbeacon[1].txt (ID = 2335)
4:19 PM: Found Spy Cookie: myaffiliateprogram.com cookie
4:19 PM: owner@www.myaffiliateprogram[1].txt (ID = 3032)
4:19 PM: Found Spy Cookie: adserver cookie
4:19 PM: owner@z1.adserver[1].txt (ID = 2142)
4:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
4:19 PM: Starting File Sweep
4:28 PM: Found Adware: cws_tiny0
4:28 PM: ~glh0000.tmp:zorxkr (ID = 204)
5:08 PM: tboninst.cfg (ID = 211835)
5:08 PM: File Sweep Complete, Elapsed Time: 00:49:01
5:08 PM: Full Sweep has completed. Elapsed time 00:56:05
5:08 PM: Traces Found: 231
5:10 PM: Removal process initiated
5:11 PM: Quarantining All Traces: trojan-downloader-2pursuit
5:11 PM: Quarantining All Traces: cws_tiny0
5:11 PM: Quarantining All Traces: big fish games toolbar
5:11 PM: Quarantining All Traces: highdialer hijack
5:11 PM: Quarantining All Traces: 2o7.net cookie
5:11 PM: Quarantining All Traces: adjuggler cookie
5:11 PM: Quarantining All Traces: adserver cookie
5:11 PM: Quarantining All Traces: advertising cookie
5:11 PM: Quarantining All Traces: atlas dmt cookie
5:11 PM: Quarantining All Traces: burstbeacon cookie
5:11 PM: Quarantining All Traces: burstnet cookie
5:11 PM: Quarantining All Traces: casalemedia cookie
5:11 PM: Quarantining All Traces: directrevenue-thebestoffersnetwork
5:11 PM: Quarantining All Traces: mediaplex cookie
5:11 PM: Quarantining All Traces: myaffiliateprogram.com cookie
5:11 PM: Quarantining All Traces: pointroll cookie
5:11 PM: Quarantining All Traces: realmedia cookie
5:11 PM: Quarantining All Traces: serving-sys cookie
5:11 PM: Quarantining All Traces: tradedoubler cookie
5:11 PM: Quarantining All Traces: trafficmp cookie
5:11 PM: Quarantining All Traces: yieldmanager cookie
5:11 PM: Removal process completed. Elapsed time 00:00:33
********
4:08 PM: | Start of Session, Thursday, March 16, 2006 |
4:08 PM: Spy Sweeper started
4:12 PM: Your spyware definitions have been updated.
4:12 PM: | End of Session, Thursday, March 16, 2006 |
And the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:16:42 PM, on 3/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Wave Wireless\Client Manager\cm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ipnb.exe] C:\WINDOWS\system32\ipnb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [37372al0] C:\WINDOWS\System32\37372al0.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [bO²ùðY×y-¯Œ] C:\WINDOWS\yqyxxsx.exe
O4 - HKLM\..\Run: [Bc6w] C:\WINDOWS\yqyxxsx.exe
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Client Manager.lnk = C:\Program Files\Wave Wireless\Client Manager\cm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131749754187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4713/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD2AF26-8872-48A6-84A7-7BD36CD9ED4C}: NameServer = 204.117.214.10,216.163.120.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

PC is running much better already. What do I need to remove on HijackThis?
Thanks.
Debbie

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Hey Debbie

Did CWShredder say it removed anything? It may not produce a log it's been a while...

I am going to go ahead and work up a fix, but I still want to see a few more logs please :)

Let's get going...
-
FIRST
Please relocate HijackThis to a permanent location such as C:\Program Files\HJT

NEXT
Scan with HijackThis and place a check next to each of these:
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [ipnb.exe] C:\WINDOWS\system32\ipnb.exe
O4 - HKLM\..\Run: [37372al0] C:\WINDOWS\System32\37372al0.exe
O4 - HKLM\..\Run: [bO²ùðY×y-¯Œ] C:\WINDOWS\yqyxxsx.exe
O4 - HKLM\..\Run: [Bc6w] C:\WINDOWS\yqyxxsx.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Now openPocket Killbox
-Copy and Paste the following one at a time
-Do not reboot until you have entered them all
-Check the Delete on Reboot options
-After entering each one click the Red X to confirm
C:\WINDOWS\system32\ipnb.exe
C:\WINDOWS\System32\37372al0.exe
C:\WINDOWS\yqyxxsx.exe

After entering the last one allow your PC to reboot
-If it does not reboot on it's own, reboot it manually

Download the following two tools
AproposFix
http://swandog46.geekstogo.com/aproposfix.exe
-Save to your desktop for right now

ISeeYou
http://forum.networktechs.com/attachment.php?attachmentid=22626&d=1142141622
-Save it to your desktop but do NOT run it yet.

Now reboot to Safe Mode

-Double-click aproposfix.exe and unzip it to the desktop. -Open the aproposfix folder on your desktop and run RunThis.bat.
- Follow the prompts.
-There will be an attachment log.txt in the Apropos folder
-Please attach this for me

-Now double click ISeeYou.bat and let it run
-Save and attach the log when you return

So when returning please provide the following
Apropos log
ISeeYou log
New HijackThis log

Hang in there ;)

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

C:\WINDOWS\system32\ipnb.exe
C:\WINDOWS\System32\37372al0.exe
C:\WINDOWS\yqyxxsx.exe

In my hijackThis log the above are only listed after the "04-HKLM\..\Run..." Are those the ones I copy and paste into my killbox because they are not listed in the top WINDOWS\system tools at the top of the log?

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

C:\WINDOWS\system32\ipnb.exe
C:\WINDOWS\System32\37372al0.exe
C:\WINDOWS\yqyxxsx.exe

In my hijackThis log the above are only listed after the "04-HKLM\..\Run..." Are those the ones I copy and paste into my killbox because they are not listed in the top WINDOWS\system tools at the top of the log?

You just copy and paste it exactly as I have here one at a time:C:\WINDOWS\system32\ipnb.exe
C:\WINDOWS\System32\37372al0.exe
C:\WINDOWS\yqyxxsx.exe
It will show up in blue if it exists.

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

Killbox tells me that none of the 3 files seem to exist.

Do I go ahead with AproposFix at this time?

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Yes, you can just move on with the instructions.

It is possible that HijackThis deleted them, or they could have renamed - we'll see :)

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

Okay,
aproposfix log:

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CyiUsAG8LTEm]
@="jbl2pvtBCCBCCDCkxpS5\\0BCCBREClXcSdlhCh934t\\IHCs2x6t23CrsuusrD393"
"Device"="\\\\.\\ViaDump"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\cdffdc.sys"
"DriverName"="UMWrage"
"HideUninstallerName"="C:\\Program Files\\Intacast\\solbdycl.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\cnbsasn1.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{87C3E230-8A93-46FA-8D4F-2175374629DA}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\System32\\nmerprof.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X218ae36-da75-5f4d-04f3-d5b4d7119305}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Intacast\\stiigpwd.exe"

************

Removing hidden service:
Service UMWrage removed.

Removing hidden folder:

ISeeYou Log:

****PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE NOT BADDIES!
****PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION.

Microsoft Windows XP [Version 5.1.2600]
Fri 03/17/2006
09:14 PM

--------------------------------------------------------------------------
Items Found in ZoneMap\Domains:
--------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\musicmatch.com]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\musicmatch.com\online]
"https"=dword:00000002

--------------------------------------------------------------------------
STARTUP ITEMS DISABLED VIA MSCONFIG:
--------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dguard"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ACCELE~1\\DOWNLO~1\\dguard.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eanth_critical_update_alert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EANTH_~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ACCELE~1\\ANTI-V~1\\EANTH_~1.EXE /Startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eanth_system_patcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys_alert"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Acceleration Software\\SystemPatcher\\sys_alert.exe\" /Startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FilmLoop]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FilmLoopService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\FilmLoop Player\\FilmLoopService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="?????? ??????N???"
"hkey"="HKCU"
"command"="?????? ??????N???"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="?????? ??????N???"
"hkey"="HKCU"
"command"="?????? ??????N???"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sginst]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sginst"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ACCELE~1\\SCRIPT~1\\sginst.exe /upd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StopSignSsFwMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssfwmon"
"hkey"="HKLM"
"command"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\StopSignProducts\\Firewall\\ssfwmon.dll\",VerifyStatus"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StopSignSsTsMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sstsmon"
"hkey"="HKLM"
"command"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\sstsmon.dll\",VerifyStatus"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tbon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tbon"
"hkey"="HKCU"
"command"="C:\\Program Files\\TBONBin\\tbon.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\webscan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stopsignav"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002

--------------------------------------------------------------------------
LOG for Microsoft® Windows® Malicious Software Removal Tool:
--------------------------------------------------------------------------

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.14, March 2006
Started On Fri Mar 17 03:00:35 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Mar 17 03:00:57 2006

--------------------------------------------------------------------------
Select RunOnce Registry Key Items:
--------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

----------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

--------------------------------------------------------------------------
Shared Task Scheduler Registry Items:
--------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

--------------------------------------------------------------------------
ENUMERATING SCHEDULED TASKS:
--------------------------------------------------------------------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 9C2B-62E7

Directory of C:\WINDOWS\tasks

07/12/2005 02:57 PM .
07/12/2005 02:57 PM ..
08/17/2001 10:00 PM 65 desktop.ini
03/17/2006 08:56 PM 6 SA.DAT
2 File(s) 71 bytes

Total Files Listed:
2 File(s) 71 bytes
2 Dir(s) 12,590,743,552 bytes free
HR C:\WINDOWS\tasks\desktop.ini
A H C:\WINDOWS\tasks\SA.DAT

--------------------------------------------------------------------------
CHECKING SELECT POLICIES KEYS:
--------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

----------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

----------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000

--------------------------------------------------------------------------
ENUMERATING RECENT DOWNLOADED PROGRAM FILES:
--------------------------------------------------------------------------

C:\WINDOWS\DOWNLOADED PROGRAM FILES

03/15/2006 10:23 PM ..
03/15/2006 10:23 PM .
02/24/2006 11:49 AM 882 mcfscan.inf
01/16/2006 09:06 AM 65 desktop.ini
09/09/2005 07:16 AM 126,976 mjolauncher.dll
09/09/2005 07:14 AM 230 mjolauncher.inf
09/02/2005 10:05 AM 578 kavwebscan.inf
08/27/2005 01:30 PM 5,065 swflash.inf
05/26/2005 04:19 AM 291 wuweb.inf
05/10/2005 09:05 AM 610,304 DiagCollectionControl.dll
02/09/2005 04:54 PM 1,271 erma.inf
01/31/2005 11:26 PM 117,800 ZIntro.ocx
01/11/2005 03:49 PM 425,554 T$WEB.EXE

--------------------------------------------------------------------------
CHECKING RECENTLY ADDED DRIVERS:
--------------------------------------------------------------------------

C:\WINDOWS\system32\drivers

03/16/2006 04:08 PM ..
03/16/2006 04:08 PM .
01/17/2006 04:57 PM 92,416 fwcore.sys
11/26/2005 09:27 PM 12,288 cdffdc.sys
10/24/2005 12:18 PM 78,336 ssi.sys
10/02/2005 07:26 PM 8,413 mcstrm.sys
05/10/2005 09:04 AM 20,576 pxhelp20.sys
03/21/2005 08:42 PM etc
02/02/2005 01:21 AM 14,408 GEARAspiWDM.sys
01/28/2005 01:44 PM 18,944 wpdusb.sys
03/21/2005 08:42 PM ..
03/21/2005 08:42 PM .

--------------------------------------------------------------------------
CHECKING SYSTEM.INI:
--------------------------------------------------------------------------

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
device=dva.386
[network]
Bios=29360300
[msacm]
Install=msadpcm.acm
[Macx]
[Windows]
load=C:\WINDOWS\inet20099\winlogon.exe
[vicax]
msacm711=96842
msacm811=189829
msacm911=42405

--------------------------------------------------------------------------
CHECKING WIN.INI:
--------------------------------------------------------------------------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
MAPIX=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
[PCDRWIN]
CurrentLanguage=0
DWX=88
DWY=93
DWSZX=712
DWSZY=484
TLX=200
TLY=104
TLSZX=266
TLSZY=200
[Internet]
URLID=16803173
[Mach]
[programs]
01-00.AUD=C:\Program Files\Steinberg\Cubasis VST\Cubasis.exe
JDSecure20.exe=E:\JDSecure\Windows\JDSecure20.exe
[IRIS_IPE]
menu=1
[Readiris]
Scanner32=Twaino38,22
[eBlocsKeepSafe]
ClientID={72353B52-5546-4B62-AA83-BCAFEAD7A9F4}
[Compatibility16]
DXRCH=77599
SEKTVER=148773
R1CHMEDIA=42405
[Ans2000]
Pattern=73744
[netsock]
netapi.dll-7307307358GC635UU-1160=4915989
[Drivers.drv]
{5F20AC3C-9C20-4F1D-93AF-A027A89A8AC5}=2828282808180A683031372EC1650A50C84FF450344FF450A8792A50

--------------------------------------------------------------------------
MISCELLANEOUS DETECTIONS:
--------------------------------------------------------------------------

*** i386p.* Stealthing Agent NOT Found by this tool! ***

*** erssdd.* (ErrorSafe) Stealthing Agent NOT Found by this tool! ***

*** nmneenum.* (Apropos?) Stealthing Agent NOT Found by this tool! ***

*** mnmipsec.* (Apropos?) Stealthing Agent NOT Found by this tool! ***

*** DP.* (VUNDO?) Stealthing Agent NOT Found by this tool! ***

*** msctl32.dll SpamBot NOT Found by this tool! ***

*** ibm000*.* KeyLogger NOT Found by this tool! ***

--------------------------------------------------------------------------

**** LOOKING FOR AVPE Haxdoor Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** avpe Keys NOT Found by this tool! ***

**** LOOKING FOR MEMLOW Haxdoor Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** memlow Keys NOT Found by this tool! ***

**** LOOKING FOR VDNT Haxdoor Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** vdnt Keys NOT Found by this tool! ***

**** LOOKING FOR DP1112 Vundo Rootkit Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** DP1112 Keys NOT Found by this tool! ***

**** LOOKING FOR SYSBUS32 Rootkit Driver Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** sysbus32 Keys NOT Found by this tool! ***

**** LOOKING FOR I386P Rootkit Driver Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** i386p Keys NOT Found by this tool! ***

**** LOOKING FOR ERSSDD (ErrorSafe) Rootkit Driver Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** erssdd Keys NOT Found by this tool! ***

**** LOOKING FOR nmneenum.* (Apropos?) Rootkit Driver Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** nmneenum.* Keys NOT Found by this tool! ***

**** LOOKING FOR Parudio (Apropos?) Rootkit Driver Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** Parudio Keys NOT Found by this tool! ***

**** LOOKING FOR mnmipsec.* (Apropos?) Rootkit Driver Reg Keys ****

---------- HKLMSYSKEYS.TXT
*** mnmipsec.* Keys NOT Found by this tool! ***

- - - - - - - - - - - - - - - - -

**** LOOKING FOR W32/Sdbot-AMA Worm ****
*** W32/Sdbot-AMA Worm NOT Found by this tool! ***

#####################################################################################################

-- All DONE! :)

-- Don't forget to ATTACH this log to your post if you are posting in the IAmNotAGeek Forum.

~ PhilliePhan ~

And lastly, new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:22:12 PM, on 3/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Wave Wireless\Client Manager\cm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\hijackthis.exe

Okey-Dokey! So where do I go from here?
~Debbie
P.S. BTW, it is good to have an expert on board. Thanks.

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Alright - running a little behind, so I will check all the logs later on....but your HijackThis log, looks identical?

You should follow all the steps outline in my last post here
http://www.daniweb.com/techtalkforums/post197735-8.html

When you scan with HijackThis, you place a checkmark next to the suggested entries.
-Next you close All Open Web Browsers and choose Fix Checked

Afterwords, you reboot to Safe Mode and manually locate and delete them files, OR , in your case I had you use Killbox to enter the filename and path one by one and click the X to Kill.

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

New Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:04:22 AM, on 3/18/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Wave Wireless\Client Manager\cm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Client Manager.lnk = C:\Program Files\Wave Wireless\Client Manager\cm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131749754187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4713/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD2AF26-8872-48A6-84A7-7BD36CD9ED4C}: NameServer = 204.117.214.10,216.163.120.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Sorry,
~Debbie

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Alright - a few things I want you to do.

Seems you have Trojan Krepper

Reboot to Safe Mode and look for and delete this folder
load=C:\WINDOWS\inet20099

NEXT
Go toStart>Run
-Type MSConfig and press enter
-Change to Normal Startup and reboot

Now attach a new log for me..

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14

Cannot find any folder: C:\WINDOWS\inet20099!

And doing a NORMAL STARTUP from msconfig causes all kinds of issues. First of all, in msconfig, there are a couple of files that look like squares and when I change to normal boot, I get error msgs on reboot that say 'Windows cannot find ------------ Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search.' Like I said, the startup item and the command listed in msconfig for these files is nothing but a line of squares.

I have still run a new log while in normal mode and am attaching it here:

Logfile of HijackThis v1.99.1
Scan saved at 4:36:31 PM, on 3/18/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Wave Wireless\Client Manager\cm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=?????? ??????N???
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoopService.exe"
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Client Manager.lnk = C:\Program Files\Wave Wireless\Client Manager\cm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft® JavaScript® Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F35D6916-F6D0-49FA-AFB1-0E6BE8E96308} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131749754187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4713/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD2AF26-8872-48A6-84A7-7BD36CD9ED4C}: NameServer = 204.117.214.10,216.163.120.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Oh...this is frustrating!
~Debbie

Newbie Poster

16 posts since Mar 2006

Reputation Points: 10

Solved Threads: 0

Yeah - I knew you would get the errors,as well as have the squares in MSConfig, we'll fix them ;)

First open Add/Remove Programs and uninstall if found
Best Offers
TBONBin
Did you ever run the uninstaller from my first post? If not do thatFIRST

Now scan with HijackThis and check the following:
F3 - REG:win.ini: load=?????? ??????N???
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
Now with ALL Browsers closed, click theFIX CHECKED button

Now Open Pocket Killbox
-Using the Delete on Reboot option, enter the following one at a time.
-Do Not Reboot until all have been entered
C:\WINDOWS\inet20099
C:\Program Files\TBONBin
After the last has been entered reboot your PC.

Now attach hopefully the last HijackThis log

Posting Whiz in Training

246 posts since Feb 2006

Reputation Points: 11

Solved Threads: 14