HELP!!!! seriouse spyware problems!!!(RESOLVED)

**phez_boy** · 23-02-2006

im having seriouse trojan and malware problems... they r causing giant casino banners to come up on EVERY PAGE i visit. and its actually imbedded in the page itself not just a pop up. plus i got heaps and heaps of pop-ups appearing when im online, but not visiting any sites... PLEASE HELP!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:25:47 PM, on 23/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VHJldm9y\command.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\windows\winsysban10.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\newfrn.exe
C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\0 downloads\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 0<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames10a.exe
O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update13.js
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3123F444-8E75-4814-A341-98918D83B0C0}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHJldm9y\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

**Neal** · 23-02-2006

Welcome to DAL,

You do not have any Microsoft Security updates and you must have those or we will never get you clean as you will continually become infected over and over again.

Also I am not seeing an anti-virus program or any anti-spyware programs

So go here:
http://update.microsoft.com/windowsu....aspx?ln=en-us

Just get Service Pack 1, do not get service pack 2 on an infected computer as problems will over take your computer.

After you get Service Pack 1(ONLY) then go to this link below and do everything there:

http://www.d-a-l.com/help/showthread.php?t=32403

Then:

Run the tool below from safe mode which is explained below also

Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Now run Ewido and stay with the scanner as it scans your computer and remove what it finds if you know it is bad.

Post the log Ewido makes back here please and a new hijackthis log. This will go a long way in cleaning your computer.

**phez_boy** · 24-02-2006

ok ive done all that but still gettin some pop-ups, but here r my logs:

EDIT: also i have just noticed that i cant seem to log in2 my dads account on the computer, whenever i log off it just opens the log in box instead of the 2 users... it says the computer is locked
--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:10:07 PM, 24/02/2006
+ Report-Checksum: 34A66276

+ Scan result:

C:\Program Files\BearShare\Installer\BSINSTALL.exe -> Adware.SaveNow : Ignored
C:\0 downloads\directxSetup.exe -> Worm.VB.an : Cleaned with backup
C:\0 downloads\ErrorSafeFreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Mike\Local Settings\Temp\update.exe -> Downloader.Small.cgy : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\(Hed) Pe - Blackout (2003).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\1Click DVD Copy 4.1.1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\5 Pro Evolution Soccer.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Absolute DVD Copy 1.3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Absolute Uninstaller 1.51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\ACDSee 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Acronis Privacy Expert Corporate 8.0 B.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Advent Rising (rip).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Ahead DVD Ripper 2.1.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Alive DVD Ripper 1.2.0.9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\All Corel programs+.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\American Chopper.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Aone Movie DVD Maker 1.4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Aone Ultra DVD Creator 1.4.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Attach Plus 2.2.8.19.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Autumn Teen Sound - Someone to Love.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Barry White - Greatest Hits.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Billy Madison.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Blaze Video Magic 2.0.0.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Blindwrite 5.2.10.142.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\BloodRayne 2006.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Boston - Third Stage.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Bulletproof Monk.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\BySoft FreeRAM 4.0.4.256.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Call Of Duty 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Chris Rea - The Best of Chris Rea.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\City of Angels.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Clawfinger - The Biggest And The Best.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\CleanCenter 1.34.89.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Corel Software.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Cracking Tutorials.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Creep (2004).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Deep Purple - Speed King - The Fastest.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Deftones - B-Sides & Rarities (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\DeskCalc TaxPro 3.4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\DFX Audio Enhancer 7.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Digital Audio Editor 4.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\DSPlayer 0.74 - freeware DVD Player.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Complete\Dub war - Pain (1997).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\29ITYDLV\winsysupd9[1].exe -> Downloader.VB.wy : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\5VNVF3A2\gimmygames9[1].exe -> Downloader.VB.ww : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\5VNVF3A2\install[1].exe -> Dropper.Agent.aed : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\5VNVF3A2\winsysban10[1].exe -> Hijacker.VB.ld : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\IM2T5TKY\wallpap[1].exe -> Hijacker.Agent.gp : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\V2F91L33\ErrorSafeFreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\V2F91L33\installerwebnex[1].exe -> Downloader.Qoologic.bh : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\V3Q5OGOI\winsysban9[1].exe -> Hijacker.VB.ld : Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VVE4E3Y5\winsysupd10[1].exe -> Downloader.VB.wg : Cleaned with backup
C:\My downloads\DirectX 9.0c.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\RECYCLER\S-1-5-21-1645522239-113007714-1957994488-1004\Dc27.exe -> Downloader.VB.ww : Cleaned with backup
C:\RECYCLER\S-1-5-21-1645522239-113007714-1957994488-1004\Dc28.exe -> Trojan.VB.ajj : Cleaned with backup
C:\RECYCLER\S-1-5-21-1645522239-113007714-1957994488-1004\Dc37\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\WINDOWS\sys3654.exe -> Downloader.Small.avt : Cleaned with backup
C:\WINDOWS\sys3715.exe -> Downloader.Small.avt : Cleaned with backup
C:\WINDOWS\sys376.exe -> Downloader.Small.avt : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\wallpap.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\WINDOWS\winsysban10.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysban2.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysban3.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysban6.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysban7.exe -> Hijacker.VB.le : Cleaned with backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
C:\WINDOWS\winsysban9.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysupd10.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd2.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd3.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd6.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd9.exe -> Downloader.VB.wy : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 9:35:35 PM, on 24/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\winsysban11.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\0 downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.optusnet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 0<local>
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames11.exe
O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /scan
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3123F444-8E75-4814-A341-98918D83B0C0}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHJldm9y\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

thanks again

**Neal** · 24-02-2006

Hi,

Did you install an anti-virus program? If not go get that now please, AVG or Avast are both good and free.

Go into add/remove program and remove if present:

BearShare
MessengerPlus3---if you installed this program with sponsors
Savenow
Whenusave

REBOOT if anything removed

Then click Start -> run -> type: services.msc
Click the Extended tab.
In the list look for and double click : Command Service or(cmdService)

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Run HijackThis -> config -> misc tools -> delete an NT service
In the box, type or copy/paste : cmdService
then ok.

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

Run hijackthis and click on scan button and put checks next to these items:

F2 - REG:system.ini: Shell=

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames11.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"---Fix if you installed with sponsors

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart---Fix if installed with sponsors

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHJldm9y\command.exe (file missing)

Nothing open but hijackthis and click on "fix checked"

Reboot back to safe mode and hunt for and delete if present:

C:\windows\winsysupd11.exe < file
C:\windows\winsysban11.exe < file
C:\windows\gimmygames11.exe < file
C:\Program Files\MessengerPlus! 3 < folder---Delete if you installed with sponsors
C:\Program Files\Common Files\VCClient\VCClient.exe < file
C:\Program Files\Common Files\VCClient\VCMain.exe < file
C:\WINDOWS\VHJldm9y < folder

Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.

Then:

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Post a new HJT log for further review.

Also run Ewido again from safe mode and post that log as well as a new hijackthis log. Thanks

**phez_boy** · 26-02-2006

i have downloaded AVG virus protector and it has put lokcs on most of my programs so i couldntn access them except for in safe mode (ewido included)

but i have done most of what you said and here r my logs:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:06:56 AM, 27/02/2006
+ Report-Checksum: 44CC977D

+ Scan result:

HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup
HKU\S-1-5-21-1645522239-113007714-1957994488-1004\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1645522239-113007714-1957994488-1004\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1645522239-113007714-1957994488-1004\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
[700] C:\WINDOWS\system32\kbuser.dll -> Adware.Look2Me : Error during cleaning
[808] C:\WINDOWS\system32\kbuser.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Mike\Local Settings\Temp\i8.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@www.myaffiliateprog ram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\BearShare\Installer\BSINSTALL.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\system32\cuypt32.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dgiman32.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\en28l1fu1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iMsads.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mfrui.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ogbcp32r.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\VHJldm9y\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\VHJldm9y\command.exe -> Adware.CommAd : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 8:23:18 AM, on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\0 downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 0<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\woqwoq.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /scan
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: xqwx.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3123F444-8E75-4814-A341-98918D83B0C0}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\l46o0ej3eho.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\hmcoin.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe

**Neal** · 26-02-2006

Wow, new stuff is showing so let's get busy.

Please download Look2Me-Remover.exe by Atribune to your desktop.

Close all windows before continuing.
Double-click Look2Me-Remover.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

Post the log from tool above and a new hijackthis log please.

**phez_boy** · 26-02-2006

all done

Logfile of HijackThis v1.99.1
Scan saved at 9:02:27 AM, on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\0 downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 0<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\woqwoq.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /scan
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: xqwx.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3123F444-8E75-4814-A341-98918D83B0C0}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe

Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 27/02/2006 8:47:52 AM

Infected! C:\WINDOWS\system32\l46o0ej3eho.dll
Infected! C:\WINDOWS\system32\hmcoin.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP193\A0031697.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP195\A0033844.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033853.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033857.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033903.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033912.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033957.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033963.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033970.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033971.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033972.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033973.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033974.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033975.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033979.dll
Infected! C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033984.dll
Infected! C:\WINDOWS\system32\dKnim.dll
Infected! C:\WINDOWS\system32\l46o0ej3eho.dll
Infected! C:\WINDOWS\system32\s6pulg7916.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\l46o0ej3eho.dll
C:\WINDOWS\system32\l46o0ej3eho.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP193\A0031697.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP193\A0031697.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP195\A0033844.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP195\A0033844.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033853.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033853.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033857.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033857.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033903.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033903.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033912.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033912.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033957.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033957.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033963.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033963.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033970.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033970.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033971.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033971.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033972.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033972.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033973.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033974.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033974.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033975.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033975.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033979.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033979.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033984.dll
C:\System Volume Information\_restore{2F422312-6057-4890-B24D-7431AC1DEBE1}\RP196\A0033984.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dKnim.dll
C:\WINDOWS\system32\dKnim.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l46o0ej3eho.dll
C:\WINDOWS\system32\l46o0ej3eho.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s6pulg7916.dll
C:\WINDOWS\system32\s6pulg7916.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

**Neal** · 26-02-2006

Good job,

Go look in add/remove program and uninstall/remove:

Surfsidekick3

Reboot if removed, if it is not there do this:

To UNINSTALL Surf Sidekick 3

Go Start>>Run>>type the following:
"C:\Program Files\SurfSidekick 3\Ssk.exe" /u
Note: (Quotation marks are required)
Press OK
REBOOT your system
Please post a fresh HJT log

Also give me a new Ewido log also thanks.

**phez_boy** · 26-02-2006

couldnt remove surfsidekick either way... wasnt even in add /remove programs list.
but here r my new logs:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:19:45 AM, 27/02/2006
+ Report-Checksum: 6B71D50B

+ Scan result:

C:\Documents and Settings\Trevor\Cookies\trevor@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:23:28 AM, on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\0 downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 0<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\woqwoq.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /scan
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: xqwx.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3123F444-8E75-4814-A341-98918D83B0C0}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe

**Neal** · 27-02-2006

Well, that is strange indeed.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run hijackthis and click scan button and put checks next to these:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\woqwoq.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: xqwx.exe

Nothing open but hijackthis and click fix checked

Still in safe mode, hunt for and delete if present:

C:\WINDOWS\System32\woqwoq.exe < file
C:\Program Files\SurfSideKick 3 < folder
xqwx.exe < file

Reboot normal mode and post a new hijackthis log please.

HELP!!!! seriouse spyware problems!!!(RESOLVED)

HELP!!!! seriouse spyware problems!!!(RESOLVED)

Similar Threads

[RESOLVED] Spyware

New virus / spyware(RESOLVED)

spyware (RESOLVED)

connecting problems / spyware (RESOLVED)

I Think I've got Spyware!!(RESOLVED)