Zestyfind and others

Can someone tell me anything about these entries in particular. They keep coming back into the registry for startup and I have pop-ups galore.

Explorer.exe, C:\WINDOWS\System32\nvpib.exe
C:\WINDOWS\SYSTEM32\Userinit.exe,yrwmlfn.exe

or

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\nvpib.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yrwmlfn.exe

And these:
c:\windows\system32\wmyeba.exe reg_run
and some file ptlfh.exe

 

Here is my HiJackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:14:01 PM, on 10/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\UCC\Services\Ucsinsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Acronis\PrivacyExpert\Shield.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
C:\Program Files\NeoImagic Computing\Windows & Internet Cleaner Pro\WICleaner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.password.dealerconnecti...://www.fmcdealer.dealerconnection.com/portal/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnecti...://www.fmcdealer.dealerconnection.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TeamFord.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\nvpib.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yrwmlfn.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe "
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [Acronis Popup Blocker] RunDll32.exe C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll,Run
O4 - HKLM\..\Run: [SpyWare Shield] "C:\Program Files\Acronis\PrivacyExpert\Shield.exe "
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\NeoImagic Computing\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Acronis*Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...N=yes&Vehicle_Number_int=1012065&action=Media
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_components/control/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121376316886
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.solitaire.com/download/solitaire.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://w2k3.crystalreports.dealerconnection.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40E57908-91F0-4071-B4D2-119FFCB070E8}: NameServer = 10.2.1.254
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Process Activity Monitor (paamsrv) - Unknown owner - C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
O23 - Service: UCS Install NT Service - UCS - C:\UCC\Services\Ucsinsvc.exe
O23 - Service: UCS Refresh Service - UCS - C:\UCC\Services\UcsrrSvc.exe

 

Hello TeamFord and welcome to WindowsBBS Forums.

The lines you are noticing typically indicate a QooLogic infection. This infection like to hide things from our scanners and can be a bit of a pest to remove.

Lets run a single find all scanning tool to show us what files are on your system. If there are any Qoo files, it will most liekly detect them and delete them.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Lets see what this log produces before we get a new HJT log file.

 

I will do that when I get back into work on Tues. Thanks.

 

For some reason I could download this last night, but not at work today. I tried several different machines and nothing. Is the server down?

Can you Email it to me, parts@teamford.com
Thanks

 

Ah, it would appear as of this morning the developer has pulled it due to a nasty bug. He is being encouraged to re-instate it tho.

Try again later in the day.

In the mean time, lets try another scanner to see what it finds.

Download AVG Anti-Spyware 7.5 formerly Ewido Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.

• Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
• Under "Reports "

• Select "Automatically generate report after every scan "
• Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot, into safe mode, this way:

• Turn on the computer
• Immediately begin tapping the <F8> key.
• Use the arrow keys to highlight Safe Mode and press the <Enter> key.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions "
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.(Please edit out any cookie references)

Then also run HJT and give me a fresh log with the Ewido report.

 

Here is my Combofix.exe log:

ComboFix 06.10.11 - Running from: "C:\Documents and Settings\Administrator\Desktop "

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{C622EC0F-0703-4B19-8BD0-FBF38A9C87CF}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{C622EC0F-0703-4B19-8BD0-FBF38A9C87CF}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{C622EC0F-0703-4B19-8BD0-FBF38A9C87CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{C622EC0F-0703-4B19-8BD0-FBF38A9C87CF}\InprocServer32]
@= "C:\\WINDOWS\\system32\\oiepro32.dll "
"ThreadingModel "= "Apartment "

[HKEY_CLASSES_ROOT\CLSID\{01CBAE95-4D5C-4DF0-8668-54CFF6E38CB9}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{01CBAE95-4D5C-4DF0-8668-54CFF6E38CB9}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{01CBAE95-4D5C-4DF0-8668-54CFF6E38CB9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{01CBAE95-4D5C-4DF0-8668-54CFF6E38CB9}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\cznfmsp.dll
C:\WINDOWS\system32\en82l1lo1.dll
C:\WINDOWS\system32\ennql1551.dll
C:\WINDOWS\system32\frusd.dll
C:\WINDOWS\system32\sbhedsvc.dll
C:\WINDOWS\system32\sinsapi.dll
C:\WINDOWS\system32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\wmyeba.exe
O4 - HKLM\...\Run C:\WINDOWS\System32\wmyeba.exe
F2 -REG:system.ini: Shell C:\WINDOWS\System32\nvpib.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\yrwmlfn.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\wmyeba.exe
C:\WINDOWS\system32\dtyesiy.dll
C:\WINDOWS\system32\yrwmlfn.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ptlfh.exe
C:\WINDOWS\vhgls.dll
C:\WINDOWS\system32\dknhn.dat
C:\WINDOWS\system32\nvpib.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-09 15:13 127488 ptlfh.exe.qoo
06-10-09 08:56 127488 wmyeba.exe.qoo
06-10-09 14:22 127488 dknhn.dat.qoo
06-10-09 08:56 51712 dtyesiy.dll.qoo
06-10-09 08:56 28672 nvpib.exe.qoo
06-10-10 10:35 23552 yrwmlfn.exe.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\offun.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\ECURIT~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1\M?crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-09-11 to 2006-10-11 ))))))))))))))))))))))))))))))))))


2006-10-09 14:50 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2006-10-09 14:50 3,440 --a------ C:\WINDOWS\undo.reg
2006-10-09 14:50 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2006-10-09 12:33 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2006-10-09 12:33 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2006-10-09 12:33 28,160 --a------ C:\WINDOWS\system32\anim.dll
2006-10-09 12:33 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-09 12:33 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2006-10-09 10:51 43,648 --a------ C:\WINDOWS\system32\drivers\pamondrv.sys
2006-10-09 08:54 522,553 --ahs---- C:\WINDOWS\system32\iihjl.bak2
2006-10-07 18:40 501,631 --ahs---- C:\WINDOWS\system32\iihjl.bak1
2006-10-07 18:39 684,084 --ahs---- C:\WINDOWS\system32\ljhii.dll
2006-10-07 14:49 501,631 --ahs---- C:\WINDOWS\system32\yyabc.bak2
2006-10-07 09:21 447 --a------ C:\WINDOWS\vhgls.dll
2006-10-06 20:03 684,084 --ahs---- C:\WINDOWS\system32\cbayy.dll
2006-10-06 20:03 501,671 --ahs---- C:\WINDOWS\system32\yyabc.bak1
2006-10-06 19:48 2 --a------ C:\WINDOWS\system32\wapisvtr.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-11 08:21 -------- d-a------ C:\Program Files\Common Files
2006-10-10 09:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-09 14:50 -------- d-------- C:\Program Files\Trojan Remover
2006-10-09 14:50 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2006-10-09 13:24 -------- d-------- C:\Program Files\CleanUp!
2006-10-09 12:33 -------- d-------- C:\Program Files\WinUtilities
2006-10-09 12:31 -------- d-------- C:\Program Files\BHODemon 2
2006-10-09 11:37 -------- d-------- C:\Program Files\Encarta Online
2006-10-09 11:34 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-09 10:51 82464 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2006-10-09 10:51 -------- d-------- C:\Program Files\Acronis
2006-10-09 08:55 -------- dr------- C:\Program Files\NetMeeting
2006-10-09 08:55 -------- dr------- C:\Program Files\Messenger
2006-10-09 08:55 -------- dr------- C:\Program Files\Accessories
2006-10-07 16:31 -------- d-------- C:\Program Files\TweakNow RegCleaner Pro
2006-10-07 16:30 -------- d-------- C:\Program Files\Google
2006-10-07 16:13 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-10-07 15:53 -------- d-------- C:\Program Files\Yahoo!
2006-10-07 15:35 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-07 15:10 -------- d-------- C:\Program Files\NeoImagic Computing
2006-10-07 15:09 -------- d-------- C:\Program Files\CCleaner
2006-10-07 12:01 -------- d-------- C:\Program Files\Common Files\oook
2006-10-07 11:06 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SpamBlockerUtility
2006-10-06 21:21 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SpamBlockerUtility_Icons
2006-10-06 21:21 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SpamBlocker
2006-09-26 17:47 -------- d-------- C:\Program Files\QuickTime
2006-09-23 19:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Google
2006-08-19 13:18 65848 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-07 08:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"IncrediMail "= "C:\\PROGRA~1\\INCRED~1\\bin\\IncMail.exe /c "
"updateMgr "= "C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_7 "
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.4150\\GoogleToolbarNotifier.exe "
"Windows & Internet Cleaner Pro "= "C:\\Program Files\\NeoImagic Computing\\Windows & Internet Cleaner Pro\\WICleaner.exe /Startup "
"SpybotSD TeaTimer "= "C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disabled]
"sbkwc "= "C:\\WINDOWS\\System32\\wmyeba.exe reg_run "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis*True*Image Monitor "= "\ "C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\" "
"Acronis Scheduler2 Service "= "\ "C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\" "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"DLPSP "= "\ "C:\\Program Files\\Dell Printers\\Additional Color Laser Software\\Status Monitor\\DLPSP.EXE\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"gcasServ "= "\ "C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\" "
"Acronis Popup Blocker "= "RunDll32.exe C:\\PROGRA~1\\Acronis\\PRIVAC~1\\Blocker.dll,Run "
"SpyWare Shield "= "\ "C:\\Program Files\\Acronis\\PrivacyExpert\\Shield.exe\" "
"SpybotSnD "= "\ "C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck /autoclose "
"TrojanScanner "= "C:\\Program Files\\Trojan Remover\\Trjscan.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disabled]
"wedvbx "= "C:\\WINDOWS\\System32\\wmyeba.exe reg_run "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Accessories\\kyge.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\NetMeeting\\hodyxu.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,e1,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCS NavBar "= "C:\\UCC\\System\\UcsNavBar.exe "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCS NavBar "= "C:\\UCC\\System\\UcsNavBar.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907} "=" "
"{9EF34FF2-3396-4527-9D27-04C8C1C67806} "= "Microsoft AntiSpyware Service Hook "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Wed 10/11/2006 8:26:55.77
ComboFix.txt

 

Logfile of HijackThis v1.99.1
Scan saved at 3:27:56 PM, on 10/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\UCC\Services\Ucsinsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Acronis\PrivacyExpert\Shield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\UCC\SYSTEM\Umhwinmg.exe
C:\Ucc\PCATTACH\PCAW.EXE
C:\UCC\SYSTEM\PWRSUITE.EXE
C:\UCC\SYSTEM\PWRSUITE.EXE
C:\UCC\SYSTEM\PWRSUITE.EXE
C:\UCC\SYSTEM\PWRSUITE.EXE
C:\UCC\SYSTEM\PWRSUITE.EXE
C:\UCC\SYSTEM\Prtwinmg.exe
C:\UCC\LFPrint\LFPrint.exe
C:\BLUEBOOK\Kpw06090.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.password.dealerconnecti...://www.fmcdealer.dealerconnection.com/portal/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnecti...://www.fmcdealer.dealerconnection.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TeamFord.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe "
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [Acronis Popup Blocker] RunDll32.exe C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll,Run
O4 - HKLM\..\Run: [SpyWare Shield] "C:\Program Files\Acronis\PrivacyExpert\Shield.exe "
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Acronis*Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://download.bleepingcomputer.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...N=yes&Vehicle_Number_int=1012065&action=Media
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_components/control/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121376316886
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.solitaire.com/download/solitaire.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://w2k3.crystalreports.dealerconnection.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40E57908-91F0-4071-B4D2-119FFCB070E8}: NameServer = 10.2.1.254
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Process Activity Monitor (paamsrv) - Unknown owner - C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
O23 - Service: UCS Install NT Service - UCS - C:\UCC\Services\Ucsinsvc.exe
O23 - Service: UCS Refresh Service - UCS - C:\UCC\Services\UcsrrSvc.exe

 

Ummmmm..........looks like you posted the ComboFix log twice.....

 

I fixed that second post

 

OK, firs thing we need to do is disbale your running protection,we can enable things once you're all cleaned up.

For Spybot:
Disable TeaTimer by doing the following:

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts

You can reenable TeaTimer once your system is clean.

For Defender:

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

Looks like there are some Vundo files in there that ComboFix didn't get, the classic signs are files which are spelled backwards, like these:
C:\WINDOWS\system32\cbayy.dll
C:\WINDOWS\system32\yyabc.bak1


So, lets run the Vundo tool and see how it does.

download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot

Reboot and run ComboFix first, then HJT and post both logs back into this thread and also include the Vundo log file as well.