Two major problems and a hjt log file

F

fattydq

New Member
When I try to log off, restart, shut down, or do a system restore on my computer it does not shut down properly. Everything but the background image of my desktop disappears, and then nothing happens and I'm forced to manually turn it off every time.

Also, when I turn my computer on and click login it takes approximately 5-6 minutes to load the desktop which is abnormally slow.

I am running a Dell dimension on windows XP. Here is my hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 1:54:53 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\Explorer.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\system32\winawd.exe
C:\WINDOWS\system32\winawd.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\gnotify.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\windows\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.eza1netsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://spywaresoftstop.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://spywaresoftstop.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...000000&C=1062054000000&D=0&I=6.2B4JU&N=PL&O=I
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\windows\system32\oxafw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ythihhe.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\system32\ipv4mons.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [spoolsvv] C:\windows\system32\spoolsvv.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [0mcamcap] C:\windows\system32\0mcamcap.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\windows\system32\0mcamcap.exe
O4 - HKLM\..\RunOnce: [-322489960] C:\DOCUME~1\Owner\LOCALS~1\Temp\ec7fc5e4.exe delete
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [0mcamcap] C:\windows\system32\0mcamcap.exe
O4 - HKCU\..\Run: [winawd] C:\WINDOWS\system32\winawd.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunOnce: [winawd] C:\WINDOWS\system32\winawd.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1537d41ea5da85f39b05/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{334CE028-5D5E-42CA-BDD2-55BD7C1C723F}: NameServer = 64.136.28.120 64.136.20.120
O20 - AppInit_DLLs: inicfg32.dll,mad.dll
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SensSrv - C:\windows\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\jt4007hme.dll (file missing)
O20 - Winlogon Notify: s_reg - C:\windows\SYSTEM32\notifysb.dll
O21 - SSODL: JhJgpVETacMn - {ECC73199-466D-9B33-7A6F-E182BFF99B9E} - C:\windows\system32\douv.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\windows\system32\dxvwrhqw.exe
 
This is a bit of a mess, it'll take a few posts to clean up. Start with this.

Download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  • Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.
 
I did everything you said, the computer didn't restart properly when it asked me to click yes to restart so I manually turned it off then on again (As I described above) and I ran another hijack this and here is the log file that you asked for now

Logfile of HijackThis v1.99.1
Scan saved at 7:55:33 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\wuauclt.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsvv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\0mcamcap.exe
C:\WINDOWS\system32\vxgame6.exe3072.exe
C:\WINDOWS\system32\winawd.exe
C:\WINDOWS\system32\winawd.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.eza1netsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://spywaresoftstop.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://spywaresoftstop.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...000000&C=1062054000000&D=0&I=6.2B4JU&N=PL&O=I
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\system32\ipv4mons.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [spoolsvv] C:\windows\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [0mcamcap] C:\windows\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\windows\system32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [tdttx] C:\windows\system32\xojbwc.exe reg_run
O4 - HKCU\..\Run: [0mcamcap] C:\windows\system32\0mcamcap.exe
O4 - HKCU\..\Run: [winawd] C:\WINDOWS\system32\winawd.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunOnce: [winawd] C:\WINDOWS\system32\winawd.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1537d41ea5da85f39b05/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - AppInit_DLLs: inicfg32.dll,mad.dll
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SensSrv - C:\windows\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\jt4007hme.dll (file missing)
O20 - Winlogon Notify: s_reg - C:\windows\SYSTEM32\notifysb.dll
O21 - SSODL: JhJgpVETacMn - {ECC73199-466D-9B33-7A6F-E182BFF99B9E} - C:\windows\system32\douv.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\windows\system32\dxvwedhi.exe
 
Download, install, update and scan your system with the free version of Ewido Security Suite:
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode:

Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.


Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log.
 
The two problems are solved after running ewido! Thank you SO much! Here's the hijack this log just in case....it wouldn't let me post the ewido report because it's too many characters....


Logfile of HijackThis v1.99.1
Scan saved at 1:51:02 AM, on 7/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Juno\exec.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\gnotify.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\windows\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.eza1netsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://spywaresoftstop.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://spywaresoftstop.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...000000&C=1062054000000&D=0&I=6.2B4JU&N=PL&O=I
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\system32\ipv4mons.dll (file missing)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1537d41ea5da85f39b05/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{334CE028-5D5E-42CA-BDD2-55BD7C1C723F}: NameServer = 64.136.28.122 64.136.20.122
O20 - AppInit_DLLs: inicfg32.dll,mad.dll
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\jt4007hme.dll (file missing)
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O21 - SSODL: JhJgpVETacMn - {ECC73199-466D-9B33-7A6F-E182BFF99B9E} - C:\windows\system32\douv.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
 
Run Hijackthis and select "Do a system scan only", place a check by the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.eza1netsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://spywaresoftstop.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://spywaresoftstop.com/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\system32\ipv4mons.dll (file missing)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - AppInit_DLLs: inicfg32.dll,mad.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\jt4007hme.dll (file missing)
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O21 - SSODL: JhJgpVETacMn - {ECC73199-466D-9B33-7A6F-E182BFF99B9E} - C:\windows\system32\douv.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)

Close all open windows and browsers, and hit "Fix Checked".

Reboot and post a new Hijackthis log.
 
sorry for the long delay, i was on vactaion :)


Logfile of HijackThis v1.99.1
Scan saved at 12:15:36 AM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\windows\Explorer.EXE
C:\windows\System32\svchost.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\windows\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&...000000&C=1062054000000&D=0&I=6.2B4JU&N=PL&O=I
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1537d41ea5da85f39b05/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{334CE028-5D5E-42CA-BDD2-55BD7C1C723F}: NameServer = 64.136.28.122 64.136.20.122
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
 
Ok, almost done. :)

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Close all open windows and browsers, and hit "Fix Checked".

Please download E2TakeOut by RubbeR DuckY from here:

http://www.malwarebytes.org/E2TakeOut.zip

* Extract the file to your Desktop
* Double click E2TakeOut.exe
* Click the Begin Removal button
* Wait until the program is finished scanning
* Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
* Reboot your computer
* Once your computer has rebooted E2TakeOut will open and produce a report
* Please copy/paste that report into your next reply, along with a new Hijackthis log.
 
You must log in or register to reply here.
Back
Top