ZipZapPromos is'nt going away

llittle16 · 2005/03/24

I have ran spybot and adware se I have also tried Microsofts antispyware but nothing seems to remove it. I even tried following the exampoles shown here in another post which was a big mistake because I ended up changing my hardware profile and had to call Microsoft to reactivate my windows xp

after that I have been reluctant to do anything else on my own

I hope that someone will be able to direct me on how to remove this dialer maleware. after rerunning spybot and adaware se I ran hijackthis with a log below is a copy of my log

Logfile of HijackThis v1.99.1
Scan saved at 10:02:27 AM, on 3/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\EPSON\ESM2\eEBSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\btc mouse\BWheel35.exe
D:\PROGRA~1\KEMailKb\KEMailKb.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\NetZero\exec.exe
D:\WINNT\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\Program Files\CallWave\IAM.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\NetZero\exec.exe
D:\Program Files\NetZero\qsacc\x1exec.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Leonard little\My Documents\kill\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.a.websponsors.com;*.cdn.clickagents.com;*.images.trafficmp.com;*.mezi2.hit-logo-ringtone.com;*.zipzappromos.com;64.136.29.30;64.136.21.30;64.136.29.34;a.websponsors.com;cdn.clickagents.com;images.trafficmp.com;mezi2.hit-logo-ringtone.com;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;zipzappromos.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (D:\Documents and Settings\Leonard little\Application Data\Mozilla\Profiles\default\b2kucou5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - D:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [plhsqcmfizwt] D:\WINNT\system32\hupstlqk.exe
O4 - HKLM\..\Run: [P2P Networking] D:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] D:\btc mouse\BWheel35.exe
O4 - HKLM\..\Run: [KEMailKb] D:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [ivrrzbomqu] D:\WINNT\System32\hupstlqk.exe
O4 - HKLM\..\Run: [IS CfgWiz] D:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [intdctrr] D:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [NetZero_uoltray] D:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZwpFRXc5R] wmnshl.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msmc] D:\WINNT\system32\msedpb.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\RunOnce: [untd_recovery] "D:\Program Files\NetZero\qsacc\x1exec.exe "
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.exe
O4 - Global Startup: EPSON Background Monitor.lnk = D:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EAA0963-47A0-408C-9456-7E99EA78A65B}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: %NVSVC.desc% (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe

Ps. I'm not using AOL on my computer any more but have been unable to remove all of there registry entries
TIA for your help

noahdfear · 2005/03/24

Open HijackThis to the Misc Tools section, click Delete an NT Service button, type or paste in AOL ACS and click OK. Click back and scan. Place a check next to the following entries and with all other windows closed, click fix.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.a.websponsors.com;*.cdn.clickagents.com;*.images .trafficmp.com;*.mezi2.hit-logo-ringtone.com;*.zipzappromos.com;64.136.29.30;64.13 6.21.30;64.136.29.34;a.websponsors.com;cdn.clickag ents.com;images.trafficmp.com;mezi2.hit-logo-ringtone.com;searchap.untd.com;127.0.0.1;localhost ;*windowsupdate.microsoft.com;*windowsupdate.com;* wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveup date.symantec.com;service1.symantec.com;*.nai.com; *.networkassociates.com;zipzappromos.com;<local>
O4 - HKLM\..\Run: [plhsqcmfizwt] D:\WINNT\system32\hupstlqk.exe
O4 - HKLM\..\Run: [P2P Networking] D:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ivrrzbomqu] D:\WINNT\System32\hupstlqk.exe
O4 - HKLM\..\Run: [intdctrr] D:\WINNT\system32\idctup20.exe
O4 - HKCU\..\Run: [ZwpFRXc5R] wmnshl.exe<<< probably in system32 folder if present....
O4 - HKCU\..\Run: [msmc] D:\WINNT\system32\msedpb.exe

Reboot and delete the files and folder in red above if present.

Scan again with HJT and post a new log.

Please download the List Installed Programs script from here, run it and post it's log.

llittle16 · 2005/04/05

llittle16

sorry it takes me so long to respond I can only work on this on my good days because of a major disablility. I hope that is not a problem thanks for your help so far I have followed the previous instructions and this is the resulting logs

hijack this
Logfile of HijackThis v1.99.1
Scan saved at 12:13:22 PM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\EPSON\ESM2\eEBSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\btc mouse\BWheel35.exe
D:\PROGRA~1\KEMailKb\KEMailKb.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\NetZero\exec.exe
D:\WINNT\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\Program Files\CallWave\IAM.exe
D:\Program Files\NetZero\exec.exe
D:\Program Files\NetZero\qsacc\x1exec.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\WINZIP\winzip32.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\Documents and Settings\Leonard little\My Documents\kill\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.a.websponsors.com;*.cdn.clickagents.com;*.images.trafficmp.com;*.mezi2.hit-logo-ringtone.com;*.zipzappromos.com;64.136.29.30;64.136.21.30;64.136.29.34;a.websponsors.com;cdn.clickagents.com;images.trafficmp.com;mezi2.hit-logo-ringtone.com;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;zipzappromos.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (D:\Documents and Settings\Leonard little\Application Data\Mozilla\Profiles\default\b2kucou5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - D:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] D:\btc mouse\BWheel35.exe
O4 - HKLM\..\Run: [KEMailKb] D:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [IS CfgWiz] D:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [NetZero_uoltray] D:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\RunOnce: [untd_recovery] "D:\Program Files\NetZero\qsacc\x1exec.exe "
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.exe
O4 - Global Startup: EPSON Background Monitor.lnk = D:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EAA0963-47A0-408C-9456-7E99EA78A65B}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: %NVSVC.desc% (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe

List installed programs
INSTALLED SOFTWARE (92) - LEO - 4/5/2005 12:12:15 PM

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only) Ver: 2.0
Adobe Reader 7.0 Ver: 7.0.0 Installed: 3/10/2005
Ahead InCD EasyWrite Reader
Broadxent V.92 PCI Value DI3652-2
CallWave Internet Answering Machine (remove only)
CloneCD
DivX Codec
DivX Player
eMule
EPSON Status Monitor 2 Ver: 2.5.0200 Installed: 6/22/2004
EPSON Status Monitor 2 Ver: 2.5.0200 Installed: 6/22/2004
gfekaibqjz
Google Toolbar for Internet Explorer
Hercules Windows 2000/XP Display Drivers
HighMAT Extension to Microsoft Windows XP CD Writing Wizard Ver: 1.1.1905.1 Installed: 4/12/2004
HijackThis 1.99.1 Ver: 1.99.1
InCD
Internet Explorer Exception pack
Internet Explorer ReadMe
ItsDeductible Express Ver: 1.00.0000 Installed: 2/10/2005
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
KEMailKb
KeyMaestro Mouse Driver
LiveReg (Symantec Corporation) Ver: 2.4.1.2056
Macromedia Shockwave Player
Mah Jong Quest Installed: 03/27/2005
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 2/14/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware Ver: 1.0 Installed: 1/20/2005
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003 Ver: 11.0.5614.0 Installed: 10/13/2003
Microsoft Windows Journal Viewer Ver: 1.5.2315.3 Installed: 11/4/2003
MSN Messenger 6.2 Ver: 6.2.0137 Installed: 9/21/2004
Nero BurnRights
Nero Media Player
Nero OEM
Nero PhotoShow Express Ver: 3.0
NeroVision Express 3 SE
Netscape (7.1)
NetZero Ver: NetZero QuickStart 7
NetZero Connection Wizard
NetZero HiSpeed (remove only)
Neverwinter Nights
Norton AntiSpam Ver: 2004.1.0.147 Installed: 2/15/2004
Norton AntiSpam Ver: 2004.1.0.147 Installed: 2/15/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 2/15/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 2/15/2004
PhotoFlair Ver: 2.2.0.1 Installed: 11/4/2003
PhotoParade Player
PowerDVD
Quicken 2002 Deluxe
QuickTime
Real Pool
RealArcade
RealPlayer
Registry Mechanic Ver: 2.1
Shockwave
Shockwave Flash
Spybot - Search & Destroy 1.3 Ver: 1.3
TurboTax Deluxe 2003
TurboTax Deluxe 2004
Tweak UI
WebFldrs XP Ver: 9.50.5318 Installed: 2/16/2004
Webshots!
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
WinRAR archiver
WinZip Ver: 9.0 (6028)
Yahoo! Internet Mail
Yahoo! Messenger Ver: 5.5
Yahoo! Toolbar
ywpkhbaig

TIA

noahdfear · 2005/04/05

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in ywpkhbaig then click OK. When wordpad opens, copy that back here please. Do another search for gfekaibqjz and post that log also.

llittle16 · 2005/04/14

Zipzappromo

here are the results of both searches

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "ywpkhbaig" 4/14/2005 3:24:17 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ywpkhbaig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ywpkhbaig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ywpkhbaig]
"UninstallString "= "d:\\winnt\\system32\\ywpkhbaig.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ywpkhbaig]
"DisplayName "= "ywpkhbaig "

[HKEY_USERS\S-1-5-21-1060284298-1343024091-2146919059-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"j "= "d:\\winnt\\system32\\ywpkhbaig.exe\\1 "

[HKEY_USERS\S-1-5-21-1060284298-1343024091-2146919059-1000\Software\Resplendence Sp\Registrar Lite\Settings]
"LastOpenedKey "= "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ywpkhbaig\\\\UninstallString "

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "gfekaibqjz" 4/14/2005 3:31:39 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gfekaibqjz]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gfekaibqjz]
"UninstallString "= "d:\\winnt\\system32\\gfekaibqjz.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gfekaibqjz]
"DisplayName "= "gfekaibqjz "

[HKEY_USERS\S-1-5-21-1060284298-1343024091-2146919059-1009\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"D:\\winnt\\system32\\gfekaibqjz.exe "= "gfekaibqjz "

TIA

noahdfear · 2005/04/14

Download the RemInstAccXP.zip file attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to RemInstAccXP.zip You may need to enable viewing extensions for known file types to see the zip and php extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens, uncheck the box to Hide extensions...... and click OK. Now right click the zip and extract the RemInstAccXP.bat file to your desktop. Note to others.....the attachment was written specifically for this machine. Please do not use if you have zipzap popups too. Start your own thread and someone will gladly assist you.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Either reboot and repeatedly tap F8 to enable the start menu, then select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Double click the RemInstAccXP.bat file to run.

Scan again with HijackThis, place a check next to the following entries and click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/ <<< This is OK not to fix if you set this as your homepage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.a.websponsors.com;*.cdn.clickagents.com;*.images .trafficmp.com;*.mezi2.hit-logo-ringtone.com;*.zipzappromos.com;64.136.29.30;64.13 6.21.30;64.136.29.34;a.websponsors.com;cdn.clickag ents.com;images.trafficmp.com;mezi2.hit-logo-ringtone.com;searchap.untd.com;127.0.0.1;localhost ;*windowsupdate.microsoft.com;*windowsupdate.com;* wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveup date.symantec.com;service1.symantec.com;*.nai.com; *.networkassociates.com;zipzappromos.com;<local>

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log. Let us know if the popups have stopped.

llittle16 · 2005/04/15

viruses found

here is the report from RAV I still have zippzap and ringtone adds poping up
when I ran hijack this in safe mode the r1 entries were not shown on the scan so I couldn't check any boxes also My system is a little different from normal the operating system is on d: drive instead of c: I don't think that should affect anything but I wanted to mention it I ran the disk cleanup on both c: and d: drives before rebooting from safe mode and I have not renabled the restore function yet. anyway here are the logs

RAV
Scan started at 4/15/2005 12:05:21 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
D:\Program Files\eMule\Incoming\Power DVD 5.x KeyGen + Crack.exe - Win32/HLLW.Backterra.A -> Infected
D:\WINNT\system32\mseggo.gif - Trojan:Win32/Delf.DX -> Infected
D:\Documents and Settings\Leonard little\My Documents\kill\hijack\backups\backup-20050316-100705-436.dll - VirTool:Win32/Collector.A -> Suspicious

Scanned
============================
Objects: 67404
Directories: 6160
Archives: 2533
Size(Kb): -1990024
Infected files: 2

Found
============================
Viruses found: 2
Suspicious files: 1
Disinfected files: 0
Mail files: 4418

Logfile of HijackThis v1.99.1
Scan saved at 1:25:38 AM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\EPSON\ESM2\eEBSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\btc mouse\BWheel35.exe
D:\PROGRA~1\KEMailKb\KEMailKb.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\NetZero\exec.exe
D:\WINNT\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\system32\NOTEPAD.EXE
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\Program Files\CallWave\IAM.exe
D:\Program Files\NetZero\exec.exe
D:\Program Files\NetZero\qsacc\x1exec.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINNT\system32\notepad.exe
D:\Documents and Settings\Leonard little\My Documents\kill\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (D:\Documents and Settings\Leonard little\Application Data\Mozilla\Profiles\default\b2kucou5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - D:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] D:\btc mouse\BWheel35.exe
O4 - HKLM\..\Run: [KEMailKb] D:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [IS CfgWiz] D:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [NetZero_uoltray] D:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\RunOnce: [untd_recovery] "D:\Program Files\NetZero\qsacc\x1exec.exe "
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.exe
O4 - Global Startup: EPSON Background Monitor.lnk = D:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EAA0963-47A0-408C-9456-7E99EA78A65B}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: %NVSVC.desc% (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe

TIA

noahdfear · 2005/04/15

I did notice that you OS is on D:, but it shouldn't matter. Please download GetLogXP.zip. Save it to your desktop. Rename if necessary. Extract GetLogXP.bat and double click to run. It will open GetLogXP.txt and place a copy on your desktop. Please post the contents of that log.

Suggest you delete the infected KeyGen + Crack.exe and mseggo.gif shown in the RAV scan. then empty the recycle bin. Don't worry about the HJT backup right now.

llittle16 · 2005/04/16

get log

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetZero_uoltray REG_SZ D:\Program Files\NetZero\exec.exe regrun
ctfmon.exe REG_SZ D:\WINNT\system32\ctfmon.exe
MSMSGS REG_SZ "D:\Program Files\Messenger\msmsgs.exe" /background
Mozilla Quick Launch REG_SZ "D:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe REG_SZ "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task REG_SZ "D:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon REG_SZ RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
NeroFilterCheck REG_SZ D:\WINNT\system32\NeroCheck.exe
MISAggregator REG_SZ
LWBMOUSE REG_SZ D:\btc mouse\BWheel35.exe
KEMailKb REG_SZ D:\PROGRA~1\KEMailKb\KEMailKb.EXE
IS CfgWiz REG_SZ D:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
InCD REG_SZ D:\Program Files\Ahead\InCD\InCD.exe
gcasServ REG_SZ "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
CloneCDTray REG_SZ "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
3c1807pd REG_SZ
kvexmbh REG_SZ d:\winnt\system32\kvexmbh.exe -start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdobeESD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BTC Mice Maestro

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CallWave

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CloneCD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_3654148D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DivX Codec

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DivX Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dykrbojwv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eMule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\expinst

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEREADME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InCD!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{87C51198-5A95-4577-9F47-B953D862FA90}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Java Web Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB834707

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB867282

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB870669

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873333

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873339

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885250

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885835

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885836

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885884

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB886185

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887472

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887742

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888302

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890047

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890175

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890859

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890923

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB891781

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893066

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893086

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KEMailKb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kvexmbh

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\M886903

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Macromedia Shockwave Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 1.1 (1033)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MRW!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nero - Burning Rom!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nero BurnRights!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nero PhotoShow Express

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroVision!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Netscape (7.1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetZero Connection Wizard

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetZero HiSpeed

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NMPUninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVIDIA

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PhotoParade.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Quicken 2002 Deluxe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QuickTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Real Pool

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealArcade 1.2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealJukebox 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealPlayer 6.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Registrar Lite 2.00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Registry Mechanic_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboTax Deluxe 2003

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboTax Deluxe 2004

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tweak UI 2.10

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webshots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Format Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows XP Service Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinZip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Mail

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Messenger

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{36495C59-089C-49D1-BD15-9E5BD86DC9A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3B29A786-5803-4e9e-9B58-3014A5B4E519}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{43DCF766-6838-4F9A-8C91-D92DA586DFA7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{449F3A9E-9903-4a0d-A209-08030D45A935}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{536F7C74-844B-4683-B0C5-EA39E19A6FE3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5677563D-0CB1-485f-9E18-C5025306BB3F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5B239A98-4222-4D8C-AF38-1A8EC07F956B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5D0930A0-1033-433A-8BB9-602665550DD0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6c651250-2eb2-11d5-8e33-0050dad72ac2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6F716D8C-398F-11D3-85E1-005004838609}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7C503E58-B2BC-11D5-978A-0050BA84F5F7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110294723}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{87C51198-5A95-4577-9F47-B953D862FA90}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90110409-6000-11D3-8CFE-0150048383C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ABEB838C-A1A7-4C5D-B7E1-8B4314600137}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7646-A70000000000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFCE5837-FC21-11D6-9D24-00010240CE95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F46B2392-7D40-4FDE-88B2-37AAC8B4F017}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}

TIA

noahdfear · 2005/04/16

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

I've attached a new RemInstAccXP.zip file. Delete the one you have now and download the new, then extract to your desktop.

Reboot to safe mode and run the bat.

Delete temporary internet files via internet options in the control panel.

Empty the recycle bin.

Reboot back into Windows and create, then post a new HijackThis log.

llittle16 · 2005/04/18

hijack_this_log

I did some surfing after I rebooted and so far no zipzappromo adds have popped up. I still have the system restore turned off

thank you very much for all you have done.
here is the log
Logfile of HijackThis v1.99.1
Scan saved at 5:54:39 PM, on 4/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\EPSON\ESM2\eEBSVC.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\btc mouse\BWheel35.exe
D:\PROGRA~1\KEMailKb\KEMailKb.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\NetZero\exec.exe
D:\WINNT\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\system32\wuauclt.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\Documents and Settings\Leonard little\My Documents\kill\hijack\HijackThis.exe
D:\Program Files\CallWave\IAM.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (D:\Documents and Settings\Leonard little\Application Data\Mozilla\Profiles\default\b2kucou5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - D:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] D:\btc mouse\BWheel35.exe
O4 - HKLM\..\Run: [KEMailKb] D:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [IS CfgWiz] D:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [NetZero_uoltray] D:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.exe
O4 - Global Startup: EPSON Background Monitor.lnk = D:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://D:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: %NVSVC.desc% (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe

noahdfear · 2005/04/19

Your log is clean. Update Spybot and Ad-aware and run full scans. Delete whatever they find. Reboot and turn System Restore back on.

Happy to help.

Log in or Sign up

ZipZapPromos is'nt going away

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

ZipZapPromos is'nt going away

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

llittle16 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches