:( I have tfthot.exe and don't know how to get rid of it.

jmerrill8 · July 7, 2006

My computer is unusable... I have tried logging in under safe mode and running Trend Micro's virus scan and spybot search & destroy.

I'm not sure what to do next?

AndyManchesta · July 8, 2006

Hi jmerrill8, Welcome to the forum

Can you post a HijackThis log and I will be happy to check it over for any problems.

Download HijackThis

Save it in a convenient permanent folder such as C:\HijackThis\

Run HijackThis and choose Do a system scan and save a logfile

When the scan is finished, it will open the results in notepad and also save them into the HijackThis folder.

Please post the full contents of the logfile back on here

Most of what it lists will be harmless or essential, don't fix anything yet.

Regards

Andy

Nightraine · July 11, 2006

I'm also experiencing this as well... Here is my hijackthis log file.

Thanks for your help--

Logfile of HijackThis v1.99.1

Scan saved at 1:48:03 PM, on 7/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

F:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

F:\Program Files\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

F:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\system32\wltray.exe

C:\Program Files\AGEIA Technologies\TrayIcon.exe

C:\WINDOWS\system32\18773b9f.exe

C:\WINDOWS\system32\13f7c6c5.exe

C:\WINDOWS\thiselt.exe

C:\WINDOWS\system32\mptft.exe

C:\WINDOWS\system32\bdpn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ssec.exe

C:\WINDOWS\system32\tfthot.exe

C:\Program Files\Common Files\{B06BD4E8-086E-1033-0114-040607040001}\Update.exe

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

C:\PROGRA~1\MANTEC~1\explorer.exe

C:\WINDOWS\system32\WgaTray.exe

C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1\smss.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Russ\Desktop\HijackThis.exe

C:\WINDOWS\system32\tfthot.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20069&k=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20069&k=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.1.1:8080

R3 - URLSearchHook: (no name) - <default> - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yhgop.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kcnrais.exe

O1 - Hosts: 72.232.111.34 l2testauthd.lineage2.com #st0rm

O1 - Hosts: 72.232.111.34 l2authd.lineage2.com #st0rm

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll

O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [GameDrive] F:\Program Files\FarStone\GameDrive\gdtask.exe /AutoRestore /Silence

O4 - HKLM\..\Run: [smcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe

O4 - HKLM\..\Run: [18773b9f.exe] C:\WINDOWS\system32\18773b9f.exe

O4 - HKLM\..\Run: [13f7c6c5.exe] C:\WINDOWS\system32\13f7c6c5.exe

O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe

O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\system32\bdpn.exe"

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe

O4 - HKLM\..\Run: [win320924-13351104] C:\WINDOWS\win320924-13351104.exe

O4 - HKLM\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [13f7c6c5.exe] C:\Documents and Settings\Russ\Local Settings\Application Data\13f7c6c5.exe

O4 - HKCU\..\Run: [Ocrp] "C:\PROGRA~1\MANTEC~1\explorer.exe" -vt yazr

O4 - HKCU\..\Run: [18773b9f.exe] C:\Documents and Settings\Russ\Local Settings\Application Data\18773b9f.exe

O4 - HKCU\..\Run: [Jlnj] C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1\smss.exe

O4 - HKCU\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - Startup: Indigo Prophecy Registration.lnk = C:\WINDOWS\Installer\MSI38.tmp

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.i-lookup.com

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O15 - Trusted Zone: *.offshoreclicks.com

O15 - Trusted Zone: *.teensguru.com

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...oad/tgctlcm.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Filter: text/html - (no CLSID) - (no file)

O20 - AppInit_DLLs: scanregw.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\Program Files\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe (file missing)

O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - F:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

AndyManchesta · July 11, 2006

Hi Nightraine

This is someone elses thread so it would of been best to start a new topic but we may as well continue now you have post the log,

That is a very infected machine you have

Id like to see the contents of the Add/Remove screen before we start to manually remove all the files to see which programs have uninstallers present but lets start with getting rid of Qoologic and SurfSideKick then we can deal with the rest in the next post

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.

Post the contents of the Qoofix logfile which is saved to the same location as Qoofix into your next post.

Goto Start Menu > Control Panel > Add or Remove Programs and remove SurfSideKick , enter the number on screen and then reboot the pc when prompted

Finally generate a list of the Add/Remove screen entries

Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.

In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the Add/remove screen list and the Qoofix logfile

Cheers

Andy

Nightraine · July 12, 2006

Thanks for all your help, Andy.

Qoofix logfile (initial):

Qoofix v1.02 by http://www.malwarebytes.org

Scan started on [7/12/2006] at [7:47:54 AM]

-------------------------------------------------------------

No malicious modules found!

-------------------------------------------------------------

No Qoologic infected files found!

-------------------------------------------------------------

Scan COMPLETED SUCCESSFULLY on [7/12/2006] at [7:48:48 AM]

Note: Some registry keys may have been removed.

-- When I attempted to save the uninstall_list.txt, Hijackthis closes down before the save dialog box.

Qoofix logfile (after removing SurfSidekick)

Qoofix v1.02 by http://www.malwarebytes.org

Scan started on [7/12/2006] at [8:02:04 AM]

-------------------------------------------------------------

No malicious modules found!

-------------------------------------------------------------

No Qoologic infected files found!

-------------------------------------------------------------

Scan COMPLETED SUCCESSFULLY on [7/12/2006] at [8:02:18 AM]

Note: Some registry keys may have been removed.

Thanks again,

Russ

AndyManchesta · July 12, 2006

Hi Russ

That didnt go very well, time for plan B

Can you disable the Real Time protection on Microsoft Anti-Spyware so it doesnt interfere with the HijackThis fixes or Malware removal

Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
Click on "Security Agents Status".
Click on "Disable real-time protection".

You can reenable it once your system is clean.

Copy and paste this reply to Notepad and save it to your desktop as some steps will require all browser windows closing and rebooting the PC.

Check the Add/Remove screen for these and remove them if found: PurityScan, OuterInfo Network, QuickLinks, Toolbar888, EliteMediaGroup and any programs by OIN if they are on the list, reboot if you remove any.

Once that's done run Hijack This and choose Do A System Scan then place a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://www.2020search.com/search/9884/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://www.2020search.com/search/9884/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://www.2020search.com/search/9884/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://www.mrfindalot.com/search.asp?si=20069&k=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ht*p://www.mrfindalot.com/search.asp?si=20069&k=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R3 - URLSearchHook: (no name) - <default> - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yhgop.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kcnrais.exe

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [18773b9f.exe] C:\WINDOWS\system32\18773b9f.exe

O4 - HKLM\..\Run: [13f7c6c5.exe] C:\WINDOWS\system32\13f7c6c5.exe

O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe

O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\system32\bdpn.exe"

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe

O4 - HKLM\..\Run: [win320924-13351104] C:\WINDOWS\win320924-13351104.exe

O4 - HKLM\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKCU\..\Run: [13f7c6c5.exe] C:\Documents and Settings\Russ\Local Settings\Application Data\13f7c6c5.exe

O4 - HKCU\..\Run: [Ocrp] "C:\PROGRA~1\MANTEC~1\explorer.exe" -vt yazr

O4 - HKCU\..\Run: [18773b9f.exe] C:\Documents and Settings\Russ\Local Settings\Application Data\18773b9f.exe

O4 - HKCU\..\Run: [Jlnj] C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1\smss.exe

O4 - HKCU\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.i-lookup.com

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O15 - Trusted Zone: *.offshoreclicks.com

O15 - Trusted Zone: *.teensguru.com

O15 - Trusted Zone: ht*p://click.getmirar.com (HKLM)

O15 - Trusted Zone: ht*p://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: ht*p://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: ht*p://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - ht*p://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - ht*p://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - ht*p://awbeta.net-nucleus.com/FIX/WinATS.cab

O18 - Filter: text/html - (no CLSID) - (no file)

O20 - AppInit_DLLs: scanregw.dll

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Dont worry if it shows a error when trying to fix the 020 entry.

Download Killbox from Here

http://www.killbox.net/downloads/KillBox.exe

Click killbox.exe

Select the option "Delete on reboot".

Click the button: All Files (Important!)

Now it should flash green.

Next copy the contents of the code box to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy:

C:\WINDOWS\system32\18773b9f.exe
C:\WINDOWS\system32\13f7c6c5.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\bdpn.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\win320924-13351104.exe
C:\WINDOWS\system32\ssec.exe
C:\Documents and Settings\Russ\Local Settings\Application Data\13f7c6c5.exe
C:\Documents and Settings\Russ\Local Settings\Application Data\18773b9f.exe
C:\PROGRA~1\MANTEC~1\explorer.exe
C:\PROGRA~1\MANTEC~1
C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1\smss.exe
C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\scanregw.dll
C:\WINDOWS\scanregw.dll
C:\WINDOWS\system32\tfthot.exe
C:\Program Files\Common Files\{B06BD4E8-086E-1033-0114-040607040001}\Update.exe
C:\Program Files\Common Files\{B06BD4E8-086E-1033-0114-040607040001}

After copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard

Then press the Delete File button (Red Circle with a White X).

Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES

If you don't get that message, reboot manually.

Your computer should reboot now.

Finally can you export some information from your registry:

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad

if exist Export.txt del /q Export.txt

regedit /e Check1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
regedit /e Check2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
Type Check*.txt > Export.txt
del /q Check*.txt
regedit /e Uninstall1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]>>Uninstall.txt
FIND "DisplayName" < Uninstall1.txt | find /v "QuietDisplayName" | find /v "ParentDisplayName" | find /v "WebFldrs XP" >>Uninstall.txt
Type Uninstall.txt >>Export.txt
del /q Uninstall*.txt
Notepad Export.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will export the contents of the policy keys and the Uninstall key and open the information in notepad, please post the contents of that text file (Export.txt) back on the forum

Please then post back a new HijackThis log and the above reg export (Export.txt) , let us know if you have any problems or questions

Thanks

Andy

Nightraine · July 12, 2006

Export.txt --

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDriveAutoRun"=dword:00800200

"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

"wininet.dll"="regperf.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]

"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001

"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

"{B06BD4E8-086E-1033-0114-040607040001}"="\"C:\\Program Files\\Common Files\\{B06BD4E8-086E-1033-0114-040607040001}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"DisplayName"="EA SPORTS online 2006"

"DisplayName"="Ad-Aware SE Personal"

"DisplayName"="Adobe Acrobat 5.0"

"DisplayName"="Adobe Download Manager 2.0 (Remove Only)"

"DisplayName"="AGEIA PhysX v2.3.3"

"#DisplayName"="Ahead Manuals and Guides"

"ShowDisplayName"=dword:00000000

"DisplayName"="Alarm Clock v1.0"

"DisplayName"="Alt WAV MP3 WMA OGG Converter Version 4.01"

"DisplayName"="Autodesk DWF Viewer"

"DisplayName"="AviSynth 2.5"

"DisplayName"="Azureus"

"DisplayName"="C-Media 3D Audio"

"DisplayName"="C-Media WDM Audio Driver"

"DisplayName"="CCleaner (remove only)"

"DisplayName"="CDisplay 1.8"

"DisplayName"="City of Villains/City of Heroes (remove only)"

"DisplayName"="Collab"

"DisplayName"="DirectVobSub (remove only)"

"DisplayName"="DOOM Collector's Edition"

"DisplayName"="DVD Shrink 3.2"

"DisplayName"="EMS 9.0 at 10.185.40.8"

"DisplayName"="EMS 9.0 at 10.185.41.8"

"DisplayName"="eMule"

"DisplayName"="Family Feud (remove only)"

"DisplayName"="ffdshow"

"DisplayName"="FL Studio 6"

"DisplayName"="GameSpy Arcade"

"DisplayName"="HijackThis 1.99.1"

"DisplayName"="Homeworld2"

"DisplayName"="EA downloader"

"DisplayName"="iTunes"

"DisplayName"="Lineage II"

"DisplayName"="Fable - The Lost Chapters"

"DisplayName"="Call of Duty® 2"

"DisplayName"="InterActual Player"

"DisplayName"="Inzomia viewer 1.60"

"DisplayName"="IsoBuster 1.9"

"DisplayName"="Windows XP Hotfix - KB873339"

"DisplayName"="Windows XP Hotfix - KB885250"

"DisplayName"="Windows XP Hotfix - KB885835"

"DisplayName"="Windows XP Hotfix - KB885836"

"DisplayName"="Windows XP Hotfix - KB886185"

"DisplayName"="Windows XP Hotfix - KB887472"

"DisplayName"="Windows XP Hotfix - KB888113"

"DisplayName"="Windows XP Hotfix - KB888302"

"DisplayName"="Windows XP Hotfix - KB891781"

"DisplayName"="Update for Windows XP (KB900485)"

"DisplayName"="Security Update for Windows XP (KB908531)"

"DisplayName"="Security Update for Windows XP (KB911280)"

"DisplayName"="Security Update for Windows XP (KB911562)"

"DisplayName"="Security Update for Windows XP (KB911567)"

"DisplayName"="Security Update for Windows XP (KB912812)"

"DisplayName"="Security Update for Windows XP (KB913580)"

"DisplayName"="Security Update for Windows XP (KB914389)"

"DisplayName"="Security Update for Windows XP (KB916281)"

"DisplayName"="Security Update for Windows XP (KB917344)"

"DisplayName"="Security Update for Windows Media Player 10 (KB917734)"

"DisplayName"="Security Update for Windows XP (KB917953)"

"DisplayName"="Security Update for Windows XP (KB918439)"

"DisplayName"="K-Lite Mega Codec Pack 1.53"

"DisplayName"="KXploit Tool"

"DisplayName"="Microsoft .NET Framework 1.1 Hotfix (KB886903)"

"DisplayName"="Microsoft .NET Framework 1.1"

"DisplayName"="Microsoft .NET Framework 2.0"

"DisplayName"="mIRC"

"DisplayName"="Mozilla (1.7.12)"

"DisplayName"="Mozilla Firefox (1.5.0.4)"

"#DisplayName"="InCD Reader"

"ShowDisplayName"=dword:00000000

"DisplayName"="MSN Music Assistant"

"#DisplayName"="Nero OEM"

"ShowDisplayName"=dword:00000000

"DisplayName"="Nero PhotoShow Elite"

"DisplayName"="Nero Suite"

"#DisplayName"="NeroVision Express 2"

"ShowDisplayName"=dword:00000000

"#DisplayName"="Nero Media Player"

"ShowDisplayName"=dword:00000000

"#DisplayName"="NeroVision Express Content"

"ShowDisplayName"=dword:00000000

"DisplayName"="NVIDIA Drivers"

"DisplayName"="Ogg Converter"

"DisplayName"="PowerISO"

"DisplayName"="PSP Video 9 1.62"

"DisplayName"="Logitechr Camera Driver"

"DisplayName"="Roguescanfix 1.4"

"DisplayName"="Skype 2.0"

"DisplayName"="Soldier of Fortune II - Double Helix"

"DisplayName"="Spybot - Search & Destroy 1.4"

"DisplayName"="TeamSpeak 2 RC2"

"DisplayName"="TotalBF2 Map Pack 3"

"DisplayName"="UniUploader"

"DisplayName"="Unreal Tournament"

"DisplayName"="VideoLAN VLC media player 0.8.4a"

"DisplayName"="VIA Rhine-Family Fast Ethernet Adapter"

"DisplayName"="Warez P2P Client 2.93"

"DisplayName"="Windows Genuine Advantage Validation Tool"

"DisplayName"="Windows Genuine Advantage Notifications (KB905474)"

"DisplayName"="WildTangent Web Driver"

"DisplayName"="Winamp (remove only)"

"DisplayName"="Windows Media Format Runtime"

"DisplayName"="Windows Media Player 10"

"DisplayName"="Windows XP Service Pack 2"

"DisplayName"="WinRAR archiver"

"DisplayName"="WinZip"

"DisplayName"="Windows Media Connect"

"DisplayName"="World of Warcraft"

"DisplayName"="Xbox 360 Controller for Windows"

"DisplayName"="Xfire (remove only)"

"DisplayName"="Yahoo! Toolbar"

"DisplayName"="Logitech iTouch Software"

"DisplayName"="Battlefield 2"

"DisplayName"="Lineage II"

"DisplayName"="Sunbelt CounterSpy"

"DisplayName"="Call of Duty® 2 Patch 1.2"

"DisplayName"="Prey"

"DisplayName"="EA downloader"

"DisplayName"="iTunes"

"DisplayName"="Lineage II"

"DisplayName"="FEAR"

"DisplayName"="J2SE Runtime Environment 5.0 Update 2"

"DisplayName"="J2SE Runtime Environment 5.0 Update 5"

"DisplayName"="J2SE Runtime Environment 5.0 Update 6"

"DisplayName"="Oblivion"

"DisplayName"="Star Wars Battlefront II"

"DisplayName"="Google Earth"

"DisplayName"="DAEMON Tools"

"DisplayName"="Pinnacle Game Profiler"

"DisplayName"="Battlefield 2: Special Forces"

"DisplayName"="VPN Client"

"DisplayName"="Logitech Gaming Software"

"DisplayName"="Windows Genuine Advantage v1.3.0254.0"

"DisplayName"="Microsoft Streets and Trips 2005"

"DisplayName"="Microsoft .NET Framework 2.0"

"DisplayName"="Ventrilo Client"

"DisplayName"="Belkin Wireless Utility"

"DisplayName"="Microsoft Office Professional Edition 2003"

"DisplayName"="Hitman Blood Money"

"DisplayName"="MSN Messenger 7.0"

"DisplayName"="Adobe Reader 7.0.8"

"DisplayName"="NASCARr Racing 2003 Season"

"DisplayName"="Fable - The Lost Chapters"

"DisplayName"="Logitech QuickCam Software"

"DisplayName"="Microsoft .NET Framework 1.1"

"DisplayName"="Call of Duty® 2"

"DisplayName"="GameDrive"

"DisplayName"="Black & Whiter 2"

"DisplayName"="Autodesk 3ds Max 8"

"DisplayName"="Rockbox version 2.5"

"DisplayName"="Ghost Recon Advanced Warfighter"

"DisplayName"="Sygate Personal Firewall"

HijackThis Logfile

Logfile of HijackThis v1.99.1

Scan saved at 2:43:31 PM, on 7/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

F:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

F:\Program Files\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

F:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wltray.exe

C:\Program Files\AGEIA Technologies\TrayIcon.exe

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\wuauclt.exe