0

Greetings, as indicated I have run Ad-Aware, Spybot, Microsoft Anti-Spyware, and run complete scans with Norton Anti-Virus several times, all in Safemode, yet some problems still plague this machine. It is my girlfriend's family's, and I know it is a case of the younger ones clicking what they should not have. From researching your site I have found good documentation for some of these issues, but am not sure in what order to implement the fixes. Any help would be greatly appreciated. Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:25:25 PM, on 07/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\uidvqy.exe
C:\WINDOWS\system32\poker3.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Fulfords\check2.exe
C:\Documents and Settings\Fulfords\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [qihbpht] c:\windows\system32\uidvqy.exe r
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteryx32.exe
O4 - HKLM\..\RunServices: [virtual-machine] winlogin.exe
O4 - HKLM\..\RunServices: [ine] svchosts.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000080.exe
O4 - HKCU\..\Run: [eB74RSe7h] mssecr40.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093069311551
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

2
Contributors
3
Replies
4
Views
12 Years
Discussion Span
Last Post by crunchie
0

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
It will self-extract to the desktop, but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. During the scan it will prompt you to clean files, click OK.
Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

0

Thanks for the help! Here is the ne HT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:56 AM, on 07/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\anakbie.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Fulfords\My Documents\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteryx32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [inuxot] C:\WINDOWS\inuxot.exe
O4 - HKLM\..\Run: [8qgtpas9] C:\WINDOWS\system32\8qgtpas9.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ywypjb] c:\windows\system32\anakbie.exe r
O4 - HKLM\..\RunServices: [virtual-machine] winlogin.exe
O4 - HKLM\..\RunServices: [ine] svchosts.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000080.exe
O4 - HKCU\..\Run: [eB74RSe7h] mssecr40.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093069311551
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



And the Ewido log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           10:57:36 AM, 7/26/2005
+ Report-Checksum:      D6A39079


+ Scan result:


HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001} -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0} -> Spyware.TX4 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020} -> Spyware.TX4 : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB} -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Elitum -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\Elitum\EliteToolBar -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteBar Internet Explorer Toolbar -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-636974812-1152003213-3841376536-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Bro Luke's\canusa.exe -> Backdoor.SdBot.xt : Cleaned with backup
C:\Documents and Settings\Bro Luke's\Cookies\bro luke's@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Bro Luke's\Cookies\bro luke's@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Bro Luke's\Cookies\bro luke's@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Bro Luke's\Cookies\bro luke's@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Bro Luke's\Cookies\bro luke's@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Bro Luke's\nn.exe -> Worm.Opanki.q : Cleaned with backup
C:\Documents and Settings\Bro Luke's\perfect.exe/rebates.exe -> TrojanDownloader.WinAD.c : Cleaned with backup
C:\Documents and Settings\Bro Luke's\rebates.exe/rebates.exe -> TrojanDownloader.WinAD.c : Cleaned with backup
C:\Documents and Settings\Faither\blowme.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Faither\Cookies\faither@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Faither\nnn.exe -> Worm.Opanki.q : Cleaned with backup
C:\Documents and Settings\Faither\perfect.exe/rebates.exe -> TrojanDownloader.WinAD.c : Cleaned with backup
C:\Documents and Settings\Faither\rebates.exe/rebates.exe -> TrojanDownloader.WinAD.c : Cleaned with backup
C:\Documents and Settings\Faither\wins.exe/rebates.exe -> TrojanDownloader.WinAD.c : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Fulfords\Application Data\Mozilla\Firefox\Profiles\ulvyy0it.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Fulfords\check3.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Fulfords\Cookies\fulfords@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Fulfords\indexx.exe/vonnera.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temp\828906.dll -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temp\jfghjfgudk.exe -> TrojanDownloader.IstBar.ku : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temporary Internet Files\Content.IE5\6BWCMQ4L\istdownload[1].exe -> TrojanDownloader.IstBar.ku : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temporary Internet Files\Content.IE5\CJ8USTIY\X16[1].exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temporary Internet Files\Content.IE5\ER4T01QX\protector[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temporary Internet Files\Content.IE5\PN3NGNJE\nem220[1].dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\Fulfords\Local Settings\Temporary Internet Files\Content.IE5\PN3NGNJE\vonner[1].exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\Documents and Settings\Fulfords\neww1.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Fulfords\perfect.exe/rebates.exe -> TrojanDownloader.WinAD.c : Cleaned with backup
C:\Documents and Settings\kidz\aa1.exe -> Backdoor.SdBot.abj : Cleaned with backup
C:\Documents and Settings\kidz\Cookies\kidz@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\kidz\Cookies\kidz@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\kidz\Cookies\kidz@ehg-hasbro.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\kidz\neww1.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\kidz\nn.exe -> Worm.Opanki.q : Cleaned with backup
C:\Documents and Settings\kidz\nnn.exe -> Worm.Opanki.q : Cleaned with backup
C:\Documents and Settings\kidz\rebates.exe/rebates.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\180searchassistant\salm.exe -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\180searchassistant\salmhook.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\prositefinder.exe -> Spyware.ClearSearch : Cleaned with backup
C:\WINDOWS\abcdefg.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\f430grka.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\inuxot.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\WINDOWS\qagbtfvup.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\6qh75p95.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\8qgtpas9.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitebof32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\eliteryx32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitetbm32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\n2ad3fge.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\poker3.exe -> Backdoor.SdBot.abj : Cleaned with backup
C:\WINDOWS\SYSTEM32\snvwzcn.exe -> Adware.BetterInternet : Cleaned with backup



::Report End

Edited by happygeek: fixed formatting

0

You have some more entries there that need removing.

===============

Please visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you tick Auto Clean.
When it completes, post back the full filename of any files that cannot be cleaned or deleted.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u Catcher.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Let's look for, and delete, any program segments (prefetches) that might be present, and are associated with the 'problems' we're trying to remove from your PC. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

services.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Internet Optimizer

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

c:\windows\system32\anakbie.exe
C:\Program Files\Common Files\services.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll

O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteryx32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [inuxot] C:\WINDOWS\inuxot.exe
O4 - HKLM\..\Run: [8qgtpas9] C:\WINDOWS\system32\8qgtpas9.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ywypjb] c:\windows\system32\anakbie.exe r
O4 - HKLM\..\RunServices: [virtual-machine] winlogin.exe
O4 - HKLM\..\RunServices: [ine] svchosts.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000080.exe
O4 - HKCU\..\Run: [eB74RSe7h] mssecr40.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\DNS
C:\Program Files\Media Access
c:\program files\180searchassistant
C:\Program Files\ProSiteFinder
C:\Program Files\Internet Optimizer

files...

c:\windows\system32\anakbie.exe
C:\Program Files\Common Files\services.exe
C:\windows\system32\eliteryx32.exe
C:\WINDOWS\inuxot.exe
C:\WINDOWS\system32\8qgtpas9.exe
C:\Program Files\Common Files\mc-58-12-0000080.exe

Search for...

poker3.exe
winlogin.exe
svchosts.exe
mssecr40.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.