Having Major Spyware Problems

Discussion in 'Windows Desktop Systems' started by kilonzom, Jul 11, 2006.

  1. kilonzom

    kilonzom OSNN One Post Wonder

    Messages:
    6
    Pleaselook at my hijackthis log and if any one can help me I used adaware and it was not able to remove drsmartload.exe or drsmartload849.exe or surfsidekick 3 files any help would be greatly apreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:49:56 AM, on 7/11/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\xload.exe
    C:\dfndre_5.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\System32\mptft.exe
    C:\WINDOWS\System32\bdpn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\FNTS~1\wuauclt.exe
    C:\WINDOWS\FNTS~1\TI2EVX~1.EXE
    C:\WINDOWS\System32\xd7ehbkw.exe
    C:\Program Files\Everest Labs\Spydefense\sdc.exe
    C:\WINDOWS\System32\ssec.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\System32\tfthot.exe
    C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX04.094\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20069&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20069&k=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{60832140-BCFD-EF09-A030-ED2B25CC879D} - (no file)
    R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ktceh.exe
    F2 - REG:system.ini: UserInit=userinit.exe,upjirgl.exe
    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\System32\v199.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
    O2 - BHO: (no name) - {60832140-BCFD-EF09-A030-ED2B25CC879D} - C:\WINDOWS\System32\atcyc.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
    O4 - HKLM\..\Run: [defender] C:\\dfndre_5.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
    O4 - HKLM\..\Run: [newname] C:\\nwnme_5.exe
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\FNTS~1\wuauclt.exe" -vt mt
    O4 - HKCU\..\Run: [Wrxcw] C:\WINDOWS\FNTS~1\TI2EVX~1.EXE
    O4 - HKCU\..\Run: [ruqu] C:\PROGRA~1\COMMON~1\ruqu\ruqum.exe
    O4 - HKCU\..\Run: [narrfn] C:\WINDOWS\System32\narrfn.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [SpyDefense] C:\Program Files\Everest Labs\Spydefense\sdc.exe /service
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.sxload.com
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nesuned.mht!http://adgate.info/zscript/dial.chm::/d2.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3138302D2D2D.exe
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150849693733
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150849636561
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll
    O20 - AppInit_DLLs: repairs303169590.dll
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  2. saeltmarae2k

    saeltmarae2k OSNN Addict

    Messages:
    73
    Try ewido. You can download a trial version at free.grisoft.com .
     
  3. failurbydesign

    failurbydesign music MUSIC music Political User

    Messages:
    1,820
    Location:
    Las Vegas
    spy sweeper works great too
     
  4. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    I am a bit rusty im sure j79zlr will see your post and help you when he can.
    you do have some nasty garbage on your rig, surfsidekick3 and some trojans.

    in the meantime, Its good to follow some of these tips:

    The best method to remove malware is to do it after booting in Safe Mode with no connection to the internet possible and no browsers running.

    Booting in safe mode is important because best results are achieved since safe mode disables most drivers and running programs. If you cannot boot in safe mode due to the malware problem then run the scans in normal boot mode but make sure you tell us later in any messages you post.

    Thus you will need to print or save these instructons locally in a text file so you can refer to them while offline. Do this before continuing!

    * Reboot into safe mode: Starting your computer in Safe mode

    * Physically unplug your cable to the internet (even if you have dial-up, unplug modem)
    * Shut down ALL unrequired applications including browsers

    * Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.

    * Microsoft Windows Malicious Software Removal Tool and clean all that it finds.
    * Run Ad-Aware SE and select Perform full system scan box and allow it to fix all that it finds

    * Run Spybot Search & Destroy and allow it to fix all that it finds. Make sure you use the Immunize feature and use the SDHelper function but do not use Teatimer.

    * Run Microsoft Windows Defender and allow it to fix all that it finds. If it will not run in safe mode, run it later after booting into normal mode.

    Optional tools to scan with:

    · CWShredder – run if you seem to have any CWS type infections. Make sure you select Fix

    · Kill2Me – run if you have indications of a Look 2 Me parasite
     
  5. kilonzom

    kilonzom OSNN One Post Wonder

    Messages:
    6
    i will try your suggestions out TDINC
     
  6. pokerblogger

    pokerblogger OSNN Addict Folding Team

    Messages:
    125
    Location:
    Portland
    You can learn more about SpySweeper here . . . and download a free trial if you like. If it doesn't delete everything you can call their support line and they'll help you out!
     
  7. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Last time I used it, which was a month or two ago, the trial only lets you scan. Don't you have to pay for it to do any removal?
     
  8. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    yes.i believe so,,dont quote me on that one though
     
  9. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Another tip: Turn off system restore when trying to remove malware.
     
  10. pokerblogger

    pokerblogger OSNN Addict Folding Team

    Messages:
    125
    Location:
    Portland
    This may have changed, I got the trial over a year ago and it did removal for me :)
     
    ray_gillespie likes this.
  11. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    You've got lots of nasties there, and these SmitFraud hijacks are getting worse. Here is a canned response fix, go ahead and follow these instructions, then post a new log. There will be more to do.

    Download smitRem.exe and save the file to your desktop.
    If you cannot access that link, here are alternate links:
    smitRem.exe
    smitRem.exe
    Double click on the file to extract it to its own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Download ewido anti-spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Select “Change state" to inactivate 'Resident Shield' and 'Automatic Updates'
      Right click on ewido in the system tray and uncheck "Start with Windows".
      Go to Start > Run and type: services.msc
      • Press "OK".
      • In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
      • When you find the guard service, double-click on it.
      • In the Properties Window > General Tab that opens, click the "Stop" button.
      • From the drop-down menu next to "Startup Type", click on "Manual".
      • Now click "Apply", then "OK" and close the Services window.
    3. Once the setup is complete you will need run ewido and update the definition files.
    4. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
        If you are having problems with the updater, manually update with the Ewido Full database installer from here.
    5. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    6. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    7. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close Ewido anti-spyware, Do Not run a scan just yet. We will shortly.

    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.
    1) Run Ad-Aware, and click Check for updates now.
    2) Select Configurations (click the Gear wheel at the top) as follows:
    • General Button > Safety & Settings: Check (Green) all three.
    • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
    Don't run it yet!
    Exit Ad-aware.

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    ==================================================
    Run HijackThis, and press "Scan". When the scan is complete place a check mark next to the following entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20069&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20069&k=
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{60832140-BCFD-EF09-A030-ED2B25CC879D} - (no file)
    R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ktceh.exe
    F2 - REG:system.ini: UserInit=userinit.exe,upjirgl.exe
    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\System32\v199.dll
    O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
    O2 - BHO: (no name) - {60832140-BCFD-EF09-A030-ED2B25CC879D} - C:\WINDOWS\System32\atcyc.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
    O4 - HKLM\..\Run: [defender] C:\\dfndre_5.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
    O4 - HKLM\..\Run: [newname] C:\\nwnme_5.exe
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\FNTS~1\wuauclt.exe" -vt mt
    O4 - HKCU\..\Run: [Wrxcw] C:\WINDOWS\FNTS~1\TI2EVX~1.EXE
    O4 - HKCU\..\Run: [ruqu] C:\PROGRA~1\COMMON~1\ruqu\ruqum.exe
    O4 - HKCU\..\Run: [narrfn] C:\WINDOWS\System32\narrfn.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [SpyDefense] C:\Program Files\Everest Labs\Spydefense\sdc.exe /service
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.sxload.com
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nesuned.mht!http://adgate.info/zscript/dial.chm::/d2.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...38302D2D2D.exe
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll
    O20 - AppInit_DLLs: repairs303169590.dll

    After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."
    ===================================================
    Close Hijackthis.

    Then search for and DELETE the following file(s)/folder(s) IF STILL PRESENT:

    We'll do this in the next step.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    Open Ad-aware and do a full scan. Remove all it finds.
    • Open Ewido-anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"

      IMPORTANT! Don't save the report before you have clicked the Apply all actions button. If you do it will make it more difficult for the helper to interpret the report.
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" or "Desktop Uninstall" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut.
    - Once you are on the Panda site click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Post Reply.
    Let us know if any problems persist.

    ** It could be possible, after reboot that the system is using the windows classic theme again.
    To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
    Click apply and OK
     
  12. kilonzom

    kilonzom OSNN One Post Wonder

    Messages:
    6
    i have attached the log files u requested

    I have finally come around to taking care of this problemI have attached thelog files you requested adaware could not remove surfsidekick I haveposted the error message it gave me.

    I ran ewido twice and it froze up on me twice while trying to quarantine the surfsidekick lines. I was therefore not able to post any of the ewido logs.




    Logfile of HijackThis v1.99.1
    Scan saved at 12:16:44 PM, on 7/17/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ktceh.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,upjirgl.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150849693733
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150849636561
    O20 - AppInit_DLLs: repairs303169590.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     

    Attached Files:

    Last edited: Jul 17, 2006
  13. kilonzom

    kilonzom OSNN One Post Wonder

    Messages:
    6
    HERE IS MY PANDA ACTIVESCAN LOGFILE


    Incident Status Location

    Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
    Adware:Adware/Qoologic Not disinfected C:\WINDOWS\System32\arkayiw.dll
    Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
    Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\system32\repairs303169590.dll
    Adware:adware/adrotator Not disinfected c:\windows\system32\adrotate.dll
    Spyware:spyware/surfsidekick Not disinfected c:\windows\system32\bk.exe
    Adware:adware program Not disinfected c:\windows\system32\data.~
    Spyware:spyware/safesurf Not disinfected c:\windows\system32\UnIrimon.exe
    Adware:adware/mirar Not disinfected c:\windows\system32\WinNB58.dll
    Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USDR6_0001_D08M0404NetInstaller.exe
    Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
    Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
    Adware:adware/mediatickets Not disinfected Windows Registry
    Spyware:spyware/betterinet Not disinfected Windows Registry
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/sqwire Not disinfected Windows Registry
    Adware:adware/webhancer Not disinfected Windows Registry
    Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
    Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
    Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt
    Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Owner\Cookies\owner@errorsafe[1].txt
    Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
    Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kmpads[2].txt
    Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mmm.media-motor[2].txt
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt
    Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@targetsaver[2].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
    Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Desktop\backups\backup-20060717-104519-270.dll
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smtirem\smitRem\Process.exe
    Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DFN51AAN\CAC5GC2Y.HTM
    Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YLWVIFMX\install-test1[1].exe[ExtractDLL.dll]
    Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YLWVIFMX\YazzleBundle-1119[1].exe
    Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\SurfSideKick 3\Ssk.exe
    Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\mtuninst.exe
    Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\msiexec.dll
    Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\yiadt.dat
    Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe[gege15x.exe]
    Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe[CCZoop05.exe]
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\VG9uaSBOb2x6ZQ\p36Rum1ivZUdtk.vbs
    Adware:Adware/Yazzle Not disinfected C:\WINDOWS\YazzleBundle-1119.exe
    Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\YOINSI.exe
     
  14. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Ok, looking a little better, some work to still do. We will use BruteForce Uninstaller to get rid of SurfSideKick.

    Download
    Brute Force Uninstaller
    to your desktop.
    • Right click the file on your Desktop, and choose Extract
      All
      .
    • Click Next.
    • In the box to choose where to extract the files to:
    • Click Browse.
    • Click on the + sign next to My Computer
    • Click on Local Disk C: or whatever your primary drive is.
    • Click Make New Folder
    • Type in BFU
    • Click Next, and uncheck the Show Extracted Files box
      and then click Finish.
    Download
    sidekickFix.bat (rightclick on that link and
    choose save as)
    • Place sidekickFix.bat in your C:\BFU - folder.
      (Important!)
    • Close all browsers and explorer folders.
    • Double-click on sidekickFix.bat
    • Click Yes and follow the prompts, when prompted to restart
      the PC please do so.

    Post a new log after you've completed this.
     
  15. kilonzom

    kilonzom OSNN One Post Wonder

    Messages:
    6
    Here are the log files, internet explorer is still acting up i can not get to any webpages when entering them in the address bar I have to go to a searchengine search for the site and click on it and I am still getting a few adds apart from that I think you did it thank you for your help ifyou have anysuggestions on ways I can prevent the problems I had from happening again let me know.
     

    Attached Files:

  16. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
  17. kilonzom

    kilonzom OSNN One Post Wonder

    Messages:
    6
    I have got rid of the qoologic and tried to boot to safe mode so I can run ad-aware aswell as ewido again every time I ran ewido I got an error message i included a screen shot of the error message too when I hit ok th pc restarts. I have included a couple of screen shots as well as logfiles of the stuff that has been popping up.Take a look when you can and let me know what you think.

    I was not able to attach the screen shots so here are the links to them.

    http://img110.imageshack.us/img110/9148/errormessagescrnshotar5.png

    http://img227.imageshack.us/img227/7345/screenshotar1.png
     

    Attached Files:

    Last edited: Jul 18, 2006
  18. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Ok, you are looking much better, have HJT fix:

    O4 - HKLM\..\Run: [scprhx] C:\WINDOWS\System32\tklaha.exe reg_run
    O4 - HKLM\..\Run: [706cb392.exe] C:\WINDOWS\System32\706cb392.exe
    O4 - HKCU\..\Run: [706cb392.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\706cb392.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
    O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Owner\LOCALS~1\Temp\1.tmp3072.exe
    O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
    O20 - Winlogon Notify: satau320 - C:\WINDOWS\SYSTEM32\satau320.dll
    O21 - SSODL: ntACWQVz - {C897A9F7-623D-035D-C177-5A9EADE1D7CD} - C:\WINDOWS\System32\alwf.dll
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll (file missing)

    Boot into safemode and delete the following:

    C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll <--file
    C:\Documents and Settings\Owner\Local Settings\Temp\ <--entire contents of this folder
    C:\Documents and Settings\Owner\Local Settings\Application Data\706cb392.exe <--file
    C:\WINDOWS\System32\706cb392.exe <--file
    C:\WINDOWS\System32\alwf.dll <--file
    C:\WINDOWS\SYSTEM32\satau320.dll <--file
    C:\WINDOWS\System32\taskdir.exe <--file
    C:\WINDOWS\System32\tklaha.exe <--file
    C:\Windows\xpupdate.exe <--file

    Reboot and post a new log. Please just post it in text on the forum, don't attach it.

    You really need to get all windows updates including SP2 and install an AntiVirus program, I recommend AVG free, http://free.grisoft.com/doc/1
     
  19. Alter

    Alter OSNN One Post Wonder

    Messages:
    1
    I seem to be having a similar problem on a windows 2000 machine, can someone help me with my hijackthis log file.

    and what needs to be deleted

    Logfile of HijackThis v1.99.1
    Scan saved at 4:26:14 PM, on 7/19/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\rundll32.exe
    M:\PKTMP001.exe
    C:\WINNT\system32\NOTEPAD.EXE


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\koxtn.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,vjfxynu.exe
    O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINNT\system32\x3cqp0.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Config Manager32] mgfx32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
    O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
    O4 - HKLM\..\Run: [defender] C:\\dfndrac_6.exe
    O4 - HKLM\..\Run: [newname] C:\\kybrdac_6.exe
    O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
    O4 - HKLM\..\Run: [suampjwA] C:\WINNT\suampjwA.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
    O4 - HKLM\..\RunServices: [Config Manager32] mgfx32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [mfmi] C:\PROGRA~1\COMMON~1\mfmi\mfmim.exe
    O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
    O4 - Startup: HASP License Manager.lnk = C:\Program Files\Aladdin\HASP LM\nhsrvw32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3130302D2D2D.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22de0d066d0be4f47815/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123248138694
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133920404666
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://mail.gocomdata.com:8900/msrdp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = saracademy.org
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3122CF2A-8829-4B20-88F8-165DEFC71F04}: NameServer = 192.168.168.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = saracademy.org
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3122CF2A-8829-4B20-88F8-165DEFC71F04}: NameServer = 192.168.168.5
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = saracademy.org
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3122CF2A-8829-4B20-88F8-165DEFC71F04}: NameServer = 192.168.168.5
    O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINNT\system32\x3cqp0.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: Reliability - C:\WINNT\system32\demssocn.dll
    O20 - Winlogon Notify: URL - C:\WINNT\system32\hp4023hmg.dll (file missing)
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2luZG93cyAyMDAw\command.exe
    O23 - Service: IT Assistant Connection Service (dcconnsvc) - Unknown owner - C:\Program Files\Dell\SysMgt\ITAssistant\iws\bin\win32\omaws32.exe" "OMACS_KEY_OMA=SOFTWARE\Dell Computer Corporation\Dell OpenManage IT Assistant\Dell OMA (file missing)
    O23 - Service: IT Assistant Network Monitoring Service (dcnetmon) - Dell Inc. - C:\Program Files\Dell\SysMgt\ITAssistant\bin\dcnetmon.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development
    O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
    O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
    O23 - Service: ITA OM Common Services (itaomsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\ITAssistant\oma\bin\omsad32.exe
    O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINNT\wkssvc.exe (file missing)
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
    O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
    O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SOLProxy - Unknown owner - C:\Program Files\Dell\SysMgt\bmc\solproxy.exe" -f "C:\Program Files\Dell\SysMgt\bmc\solproxy.cfg (file missing)
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\suampjw.exe

    Thanks
    PS. as I am not sure were to post this, please don't beat me up over it
     
  20. falconguard

    falconguard Carbon based lifeform Political User Folding Team

    Messages:
    3,406
    Location:
    SoCal
    Alter, post a new thread in this section along with the hjt log, It keeps this from getting confusing.