TheTechGuide Forum

General Category => Tech Clinic => Topic started by: scv8 on February 01, 2005, 08:49:25 PM

Title: Having problems (here's my HJT log)
Post by: scv8 on February 01, 2005, 08:49:25 PM: Hello,

I'm having many problems with spyware and IE closing on me.

I know how to start in safe mode and I've adjusted to show hidden files (but that's about all I know). I've tried fixing it with HJT and have deleted some things. I would greatly appreciate any assistance!!

Here's my log:

Logfile of HijackThis v1.99.0
Scan saved at 8:47:57 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\soft.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvppc32.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab (http://\"http://searchmiracle.com/cab/10.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
Title: Having problems (here's my HJT log)
Post by: guestolo on February 01, 2005, 08:51:58 PM: Can you do me a favor please, I want to see everything

Can you open Hijackthis>>Click the "View a list of Backups"
Restore all backups and then run another scan with Hijackthis and post a fresh log, thanks
Title: Having problems (here's my HJT log)
Post by: scv8 on February 01, 2005, 09:04:31 PM: guestolo-

Thank you sir for your time!

Here's everything restored and a fresh log. Thank you!!

Logfile of HijackThis v1.99.0
Scan saved at 9:04:23 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\soft.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html (http://\"http://www.search-1.net/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html (http://\"http://www.search-1.net/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?seojz (http://\"http://acc.count-all.com/-/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html (http://\"http://www.alfa-search.com/search.html\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
F2 - REG:system.ini: Shell=Explorer.exe,sysdisk16.exe -shell
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C4EA8D2-2AB1-E54D-DA75-3B904D318D63} - C:\WINDOWS\d3qi32.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: BHO Class - {575A5AE9-B68E-4BEB-BACB-FE430448C654} - C:\WINDOWS\System32\WinSuck.dll
O2 - BHO: (no name) - {5C373BD8-E281-13C6-522B-88C77370ADEB} - C:\WINDOWS\system32\mfcya32.dll
O2 - BHO: (no name) - {8F99086A-1ECC-586D-E124-EE5C740E2067} - C:\WINDOWS\system32\mfcyk32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C19B9125-B9FB-3BFD-7568-61F62B879410} - C:\WINDOWS\system32\apisl32.dll
O2 - BHO: (no name) - {CDBFF8B8-534F-BC18-7B33-92AC735C119A} - C:\WINDOWS\system32\ntti32.dll
O2 - BHO: (no name) - {DAA0C15D-0C3B-5FF6-7BB5-B86285276180} - C:\WINDOWS\system32\javawi.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\System32\WinTitle.dll
O2 - BHO: (no name) - {F81BD8D0-C985-F72A-039B-77B9FB1B7790} - C:\WINDOWS\system32\mfcql.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvppc32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [appak32.exe] C:\WINDOWS\SYSTEM32\appak32.exe
O4 - HKLM\..\Run: [Virus Scan] virusscan.exe
O4 - HKLM\..\Run: [WinMgr32] C:\WINDOWS\System32\winmgr.exe
O4 - HKLM\..\Run: [IPConfig] svcxnv32.exe
O4 - HKLM\..\Run: [javaqg32.exe] C:\WINDOWS\system32\javaqg32.exe
O4 - HKLM\..\Run: [DllCacherv2] C:\WINDOWS\System32\dllcachv1.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\RunOnce: [javadc.exe] C:\WINDOWS\javadc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IPConfig] svcxnv32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Memory Stick Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\googletoolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: newiframe.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: clickspring.net
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: xxxtoolbar.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: private-iframe.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: searchbarcash.com
O15 - Trusted IP range: blazefind.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: 05p.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: mt-download.com
O15 - Trusted IP range: f1organizer.com
O15 - Trusted IP range: scoobidoo.com
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: xxxtoolbar.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: slotch.com
O15 - Trusted IP range: flingstone.com
O15 - Trusted IP range: my-internet.info
O15 - Trusted IP range: searchmiracle.com
O15 - Trusted IP range: clickspring.net
O15 - Trusted IP range: private-dialer.biz
O15 - Trusted IP range: bettersearch.biz
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: pizdato.biz
O15 - Trusted IP range: mt-download.com
O15 - Trusted IP range: vse-moe.biz
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: admin2cash.biz
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: addictivetechnologies.net
O15 - Trusted IP range: addictivetechnologies.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: pizdato.biz
O15 - Trusted IP range: crazywinnings.com
O15 - Trusted IP range: megapornix.com
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: addictivetechnologies.net
O15 - Trusted IP range: sp2[censored]ed.biz
O15 - Trusted IP range: ysbweb.com
O15 - Trusted IP range: private-dialer.biz
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: private-iframe.biz
O15 - Trusted IP range: slotch.com
O15 - Trusted IP range: vse-moe.biz
O15 - Trusted IP range: f1organizer.com
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: ysbweb.com
O15 - Trusted IP range: slotch.com
O15 - Trusted IP range: newiframe.biz
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: mt-download.com
O15 - Trusted IP range: xxxtoolbar.com
O15 - Trusted IP range: addictivetechnologies.com
O15 - Trusted IP range: admin2cash.biz
O15 - Trusted IP range: clickspring.net
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: topconverting.com
O15 - Trusted IP range: bettersearch.biz
O15 - Trusted IP range: sp2[censored]ed.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: megapornix.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: static.topconverting.com
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - Trusted IP range: 05p.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: searchmiracle.com (HKLM)
O15 - Trusted IP range: my-internet.info (HKLM)
O15 - Trusted IP range: mt-download.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: slotch.com (HKLM)
O15 - Trusted IP range: searchbarcash.com (HKLM)
O15 - Trusted IP range: blazefind.com (HKLM)
O15 - Trusted IP range: clickspring.net (HKLM)
O15 - Trusted IP range: xxxtoolbar.com (HKLM)
O15 - Trusted IP range: flingstone.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O15 - Trusted IP range: awmdabest.com (HKLM)
O15 - Trusted IP range: static.topconverting.com (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B457DB9-45CC-4A93-8244-C53209161C2E}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\addzh32.exe (file missing)
Title: Having problems (here's my HJT log)
Post by: guestolo on February 01, 2005, 09:28:44 PM: Could you Download ServiceFilter.zip (http://\"http://www.bleepingcomputer.com/files/windows/ServiceFilter.zip\")
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Please don't restart your computer again after supplying the Post_This.txt

If you do you will have to supply a new Hijackthis log and Post_This.txt
Title: Having problems (here's my HJT log)
Post by: scv8 on February 01, 2005, 09:40:39 PM: Thank you so much for staying with me!

Servicefilter:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 1, 2005 9:39:20 PM

===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{f79a1568-d6c5-4c69-a086-936cf52dbbe3}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: TUWinStylerThemeSvc
Display Name: TuneUp WinStyler Theme Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\tuneup utilities 2004\winstylerthemesvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: %AFå¤¶À¨
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\addzh32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 77 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 9.859375 seconds.
Title: Having problems (here's my HJT log)
Post by: guestolo on February 01, 2005, 10:44:30 PM: Let's see what we can clean up scv8, you have a few problems on your machine
Possibly a new infection too
I need you to download a few tools please
Please try and download them all, I know it seems like a bit, but all are yours for free
Could you also Disable Spysweepers protection until we have you all clean

Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later

Download and UNZIP to a folder Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")
We'll need this later

Download and Save to desktop
The StandAlone version of CWShredder (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet

Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Ad-Aware may check for updates and run a scan after installing
Allow to update but don't run a scan at this time

One last download
Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip (http://\"http://www.downloads.subratam.org/KillBox.zip\")
Unzip the files to the folder of your choice.

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad
In Notepad click FILE>>>SAVE AS

Important>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop, well need this later, don't run it yet

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Please save the rest of this to a Notepad file on the desktop for easy access
You may also want to Print it out so you can use it as a checklist
Disconnect from the Internet>>Including this window
Close down all unnecessary programs running in the background

Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill this process if running
C:\WINDOWS\System32\soft.exe

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html (http://\"http://www.search-1.net/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html (http://\"http://www.search-1.net/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?seojz (http://\"http://acc.count-all.com/-/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dccwy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?seojz (http://\"http://acc.count-all.com/--/?seojz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html (http://\"http://www.alfa-search.com/search.html\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
F2 - REG:system.ini: Shell=Explorer.exe,sysdisk16.exe -shell
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe

O2 - BHO: (no name) - {1C4EA8D2-2AB1-E54D-DA75-3B904D318D63} - C:\WINDOWS\d3qi32.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: BHO Class - {575A5AE9-B68E-4BEB-BACB-FE430448C654} - C:\WINDOWS\System32\WinSuck.dll
O2 - BHO: (no name) - {5C373BD8-E281-13C6-522B-88C77370ADEB} - C:\WINDOWS\system32\mfcya32.dll
O2 - BHO: (no name) - {8F99086A-1ECC-586D-E124-EE5C740E2067} - C:\WINDOWS\system32\mfcyk32.dll

O2 - BHO: (no name) - {C19B9125-B9FB-3BFD-7568-61F62B879410} - C:\WINDOWS\system32\apisl32.dll
O2 - BHO: (no name) - {CDBFF8B8-534F-BC18-7B33-92AC735C119A} - C:\WINDOWS\system32\ntti32.dll
O2 - BHO: (no name) - {DAA0C15D-0C3B-5FF6-7BB5-B86285276180} - C:\WINDOWS\system32\javawi.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\System32\WinTitle.dll
O2 - BHO: (no name) - {F81BD8D0-C985-F72A-039B-77B9FB1B7790} - C:\WINDOWS\system32\mfcql.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvppc32.exe

O4 - HKLM\..\Run: [appak32.exe] C:\WINDOWS\SYSTEM32\appak32.exe
O4 - HKLM\..\Run: [Virus Scan] virusscan.exe
O4 - HKLM\..\Run: [WinMgr32] C:\WINDOWS\System32\winmgr.exe
O4 - HKLM\..\Run: [IPConfig] svcxnv32.exe
O4 - HKLM\..\Run: [javaqg32.exe] C:\WINDOWS\system32\javaqg32.exe
O4 - HKLM\..\Run: [DllCacherv2] C:\WINDOWS\System32\dllcachv1.exe

O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe

O4 - HKLM\..\RunOnce: [javadc.exe] C:\WINDOWS\javadc.exe

O4 - HKCU\..\Run: [IPConfig] svcxnv32.exe

ALL THE O15 Entries

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\addzh32.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\mszn32.dll

C:\WINDOWS\d3qi32.dll

C:\WINDOWS\System32\WinSuck.dll

C:\WINDOWS\system32\mfcya32.dll

C:\WINDOWS\system32\apisl32.dll

C:\WINDOWS\system32\ntti32.dll

C:\WINDOWS\system32\javawi.dll

C:\WINDOWS\System32\WinTitle.dll

C:\WINDOWS\system32\mfcql.dll

c:\windows\system32\kalvppc32.exe

C:\WINDOWS\SYSTEM32\appak32.exe

C:\WINDOWS\System32\winmgr.exe

C:\WINDOWS\System32\soft.exe

C:\WINDOWS\system32\javaqg32.exe

C:\WINDOWS\System32\dllcachv1.exe

C:\WINDOWS\System32\ws2_32s.exe

C:\WINDOWS\javadc.exe

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot
Please Reboot into SAFE MODE at this time

Access your Add/Remove Programs and remove if found
EliteToolBar
Don't restart after removing

Instead
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service <--look carefully, there are others that are similiar, but not exact name
Double click on it--- STOP the service
In the drop down menu, change the startup type to Disabled
It should be stopped and disabled but take a look

Do a search and delete these files in bold if they exist

virusscan.exe
svcxnv32.exe

. Go to Start | Run and type regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

%AFå¤¶À¨ or Network Security Service

If any are listed, right-click that entry and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY %AFå¤¶À¨ or LEGACY Network Security Service

If any are listed, right-click the entry and choose Delete.
Exit Registry editor

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again

Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on fix.reg you saved to desktop earlier
and Allow it to merge to the Registry

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Open CWShredder and click ONLY the FIX button, let it fix all problems
Restart your computer back to safe mode

======Open Hoster and click the "Restore Original Hosts" and press "OK". Exit Program.

===Open Ad-aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

Run a scan again with About:buster again and save the log

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

===Look in your C:\Windows\system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===If you have SPYBOT 1.3 installed
Look for SDHelper.dll in your C:\Program Files\Spybot - Search & Destroy folder
If it's not there download this zip file SDHelper13.zip (http://\"http://www.richardthelionhearted.com/~merijn/files/windows/sdhelper13.zip\")
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder

You may also want to do an online Virus scan at Trend Micro's>>Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")

Do another scan with hijackthis and save the log and post it back here
Also post back with the about:buster logs
Title: Having problems (here's my HJT log)
Post by: Guest on February 02, 2005, 07:29:01 PM: Hi Guestolo,

SCV8 performed the operations you asked, and was able to get back on the net to post the logs when IE closed. He is trying to click on his earthlink connection and when he double clicks on the icon nothing happens. So, he tried to right click on the icon and on the menu it says disconnect even though he is not connected.

How can he fix his connection?

Thank you very much!!
Title: Having problems (here's my HJT log)
Post by: guestolo on February 02, 2005, 07:46:37 PM: Can you let me know to what steps he got to
Can you open up Hijackthis>>View a list of backups
RESTORE only this one
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")

RESTART the computer
Does that get you back online?

If not try going into IE's Internet options
Under the Connections tab >>>Click Settings under your connection
Uncheck Use Proxy Server if checked
Restart IE
Does that get you back online?

Is it possible, with out too much trouble, do another scan with Hijackthis and save the log, transfer it to another computer and post the log here

Make sure that when he went into Services.msc he didn't disable anything he didn't have to
There should of been just one service with that exact name to disable if it wasn't done already

If no go
Download and save to a computer
Winsock Fix XP (http://\"http://www.spychecker.com/program/winsockxpfix.html\")
Transfer it to the other computer, don't run it from a floppy or CD

Shut down all unnecessary programs running in the backgroun
Double click to run Winsock fix and then click the FIX button

Restart the computer
Does that get you back online?

I don't really want to use System Restore, but that may be the next step
Title: Having problems (here's my HJT log)
Post by: Guest_scv8_* on February 02, 2005, 09:10:26 PM: Guestolo-

I'm back!

Sir, I can not thank you enough!

Here's my new HJT log (I installed my Earthlink total access software to regain my connection setup) and Buster log:

Logfile of HijackThis v1.99.0
Scan saved at 9:06:51 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net (http://\"http://start.earthlink.net\")
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\RunOnce: [MSAgtCgm] RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\cgminst.inf, RemoveCabinet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B457DB9-45CC-4A93-8244-C53209161C2E}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Buster:

Scanned at: 1:47:32 PM on: 2/2/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Please let me know what other log I should post.

Thank you so much!
Title: Having problems (here's my HJT log)
Post by: Guest_scv8_* on February 02, 2005, 09:18:04 PM: Okay, the browser crashed again just after I posted. Here's the new HJT log (I will try to run that online virus scan now):

Logfile of HijackThis v1.99.0
Scan saved at 9:17:15 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php (http://\"http://searchmiracle.com/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php (http://\"http://searchmiracle.com/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php (http://\"http://searchmiracle.com/sp.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net (http://\"http://start.earthlink.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php (http://\"http://searchmiracle.com/sp.php\")
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvdcd32.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\RunOnce: [MSAgtCgm] RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\cgminst.inf, RemoveCabinet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab (http://\"http://searchmiracle.com/cab/10.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B457DB9-45CC-4A93-8244-C53209161C2E}: NameServer = 207.69.188.187 207.69.188.186
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Title: Having problems (here's my HJT log)
Post by: guestolo on February 02, 2005, 09:18:56 PM: Good work. I was worried you removed something you needed
Winsock fix probably would of helped but you figured it out

Could you do me a favor and Restart your computer a couple times and post back a new log
I just want to see if anything changes

EDIT>>>I see things did change
Do the online scan and post back a new log, thanks

scv8>>Please don't remove anything I didn't ask you to remove

I noticed from the log you posted back there were a few entries missing that are legit
Not that you can't uninstall the program or fix it later, but for cleaning purposes ONLY
remove what I ask
Your last log you posted before you got knocked offline
You fixed these legit entries
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Memory Stick Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\googletoolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

All those above items I didn't ask you to fix
Which makes me question what else you fixed and the probable cause of being knocked offline

PLEASE, only fix what I ask, the above items can be restored
Title: Having problems (here's my HJT log)
Post by: scv8 on February 02, 2005, 10:39:48 PM: Guestolo- Thank you for not giving up on me after I failed to follow instructions. I'm working on the online scan (it's taking a while), and will post a new log.

I will restore those legit entries.

I appologize and thank you!
Title: Having problems (here's my HJT log)
Post by: guestolo on February 03, 2005, 01:23:26 AM: No worries scv8, just try not to remove anything with hijackthis that may be legitimate
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: Having problems (here's my HJT log)
Post by: scv8 on February 05, 2005, 12:30:05 PM: Hi Guestolo,

I was able to stay on long enough to do the Trendmicro virus scan and you're right, there are several Trojans and infected files.

There are a few that it can't delete because it says they are in use. Is there a way to stop them and re scan to delete?

Thank you
Title: Having problems (here's my HJT log)
Post by: guestolo on February 05, 2005, 04:41:03 PM: It's been a few days
Can I please see a fresh Hijackthis log
Do you remember where those files are that couldn't be removed by Trend Micros?