Ron Kinner could you help?

[Justyn]

Dear Ron, Bob Chamberlain said you would be able to help
with problems I'm having with an adware that evades
detection. My homepage is altered constantly to find-more
as you can see. I've noticed I've got C-Dilla in system32
but I've read this is connected to abby finereader so I
didn't want to try and remove it until am sure its causing
the problems. Thanks in advance if you can help. The
hijack log is:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:54, on 07/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adaptec\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-
gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\mstask.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0
SE\CalCheck.exe
C:\WINDOWS\twain_32\B12U12K\WATCH.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.find-more.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.find-everything.com/index.htm
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = www.google.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.find-
more.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.find-more.net/index.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,SearchURL = http://www.find-
more.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window
Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-
7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1
\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} -
C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-
xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-
64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN
Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-
64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN
Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1
\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN
Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgemc.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run:
[AutoLoader2spz1JSgMYXN] "C:\WINDOWS\system32
\lcpfile.exe" /HideDir /HideUninstall /PC="CP.CDT4" /ShowLe
galNote="nonbranded"
O4 - HKLM\..\Run: [2F6P37P] lcpfile.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32
\msmsgs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!
\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program
Files\Anonymizer\Anti-Spyware\AnonAntiSpyware.exe /BOOT
O4 - HKCU\..\Run: [mstask] C:\WINDOWS\system32\mstask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program
Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar
Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo
Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32
\B12U12K\WATCH.exe
O8 - Extra context menu item: Send To &Bluetooth -
C:\Program Files\Sitecom\Bluetooth
Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-
00010333D0AD} - C:\Program Files\Yahoo!
\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-
4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!
\Messenger\yhexbmes0521.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-
9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth
Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-
C863-46ef-9331-5C8D4460577F} - C:\Program
Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-
F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: Medion-UK - {98296527-3BF1-44B8-A3A5-
FA9848DA5C40} - http://www.medion.co.uk (file missing)
(HKCU)
O9 - Extra button: Microsoft AntiSpyware helper -
{D3BDABBE-C546-48B2-A17C-17D73A857861} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{D3BDABBE-C546-48B2-A17C-17D73A857861} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst
20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls
/en/x86/client/wuweb_site.cab?1111602301840
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.c
ab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876}
(Anonymizer Anti-Spyware Scanner) -
http://download.zonelabs.com/bin/promotions/spywaredetector
/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/msnmessengersetupdownload
er.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo!
Toolbar) -
http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yie
bio4025.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom
Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA53E4BA-7845-
4783-A8C4-77BDC5E17593}: NameServer = 80.225.250.178
80.225.250.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM,
Inc. - C:\Program Files\Sitecom\Bluetooth
Software\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd -
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: IMAPI CD-Burning COM Service
(ImapiService) - Roxio Inc. - C:\WINDOWS\System32
\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple
Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi -
C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone
Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[D@annyBoy]

u shouldn't have post the file here but instead Ping for Ron and get his
email and send it to him

--

D@nnyBoy
Have you tried posting your problems
not related to MS AntiSpyware to
news://msnews.microsoft.com

 

[Guest]

Oh ok, but what do you mean by 'ping for ron' and how will
this get his email?!

 

[D@annyBoy]

create a new message with the following in the subject

"Ping - Ron - want to send hijack log to you

--

D@nnyBoy
Have you tried posting your problems
not related to MS AntiSpyware to
news://msnews.microsoft.com

 

[Guest]

ok, thanks for that

-----Original Message-----
create a new message with the following in the subject

"Ping - Ron - want to send hijack log to you

--

D@nnyBoy
Have you tried posting your problems
not related to MS AntiSpyware to
news://msnews.microsoft.com





.

 

[Ron Kinner]

Hey I live in Florida - Eastern Daylight Time. Got to
sleep sometime you know. Had 4 HijackThis logs in my
mailbox this morning when I came in to work and was just
getting ready to check the forums when I got an email from
Bill Sanderson alerting me to your post.

Get a copy of winsockxpfix.exe before you do anything.
This is just a safety item in case you can't get on the
internet afterwards.

http://www.iup.edu/house/resnet/winfix.shtm

Also download and install ccleaner.exe from
http://www.ccleaner.com. Don't let
it clean anything yet.

Now reboot into Safe Mode (start tapping F8 as soon as you
see the PC Maker's logo and keep tapping tell it brings up
the menu) and select Safe Mode (without Networking - the
top menu item).


Do Start, Run, cmd, OK to bring up a cmd window. (Or you
can do Start, All Programs, Accessories, Command Prompt
which does the same but requires me to type a lot more.)

Type each line and put an Enter at the end of each line:

dir /s \ > c:\junk1.txt
dir /ah /s \ > c:\junk2.txt

(Repeating the same with extra spaces so you can see the
spaces better

dir /s \ > c:\junk1.txt
dir /ah /s \ > c:\junk2.txt

The above is just more insurance stuff. IF we have to come
back and hunt for the malware's friends I want to be able
to look at the dates of the malware we know.

Now run HijackThis and do a Scan only.

Check the following and then Fix Checked. Ignore any
warnings.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.find-more.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.find-everything.com/index.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.find-
more.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.find-more.net/index.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,SearchURL = http://www.find-
more.net/sp.htm

O4 - HKLM\..\Run:
[AutoLoader2spz1JSgMYXN] "C:\WINDOWS\system32
\lcpfile.exe" /HideDir /HideUninstall /PC="CP.CDT4" /ShowLe
galNote="nonbranded"
O4 - HKLM\..\Run: [2F6P37P] lcpfile.exe



Now run ccleaner.exe. On the first page, uncheck
everything but the two lines
that have the word Temporary in them then Run Cleaner.

Reboot and make a new HijackThis log and send it to me and
let's see how we did.

If you have any problems with the instructions just ask.



Ron

(e-mail address removed)

 

[Guest]

Dear Ron

Thanks for the advice, I live in the UK so follow a
slightly different sleep time. I do appreciate your
advice and hope you don't think for a second I was
demanding help (as someone has told me I seemed to be). I
will give what you advise a go. I would love to get my
hands on the complete gits who send out this adware cr*p!!

-----Original Message-----
Hey I live in Florida - Eastern Daylight Time. Got to
sleep sometime you know. Had 4 HijackThis logs in my
mailbox this morning when I came in to work and was just
getting ready to check the forums when I got an email from
Bill Sanderson alerting me to your post.

Get a copy of winsockxpfix.exe before you do anything.
This is just a safety item in case you can't get on the
internet afterwards.

http://www.iup.edu/house/resnet/winfix.shtm

Also download and install ccleaner.exe from
http://www.ccleaner.com. Don't let
it clean anything yet.

Now reboot into Safe Mode (start tapping F8 as soon as you
see the PC Maker's logo and keep tapping tell it brings up
the menu) and select Safe Mode (without Networking - the
top menu item).


Do Start, Run, cmd, OK to bring up a cmd window. (Or you
can do Start, All Programs, Accessories, Command Prompt
which does the same but requires me to type a lot more.)

Type each line and put an Enter at the end of each line:

dir /s \ > c:\junk1.txt
dir /ah /s \ > c:\junk2.txt

(Repeating the same with extra spaces so you can see the
spaces better

dir /s \ > c:\junk1.txt
dir /ah /s \ > c:\junk2.txt

The above is just more insurance stuff. IF we have to come
back and hunt for the malware's friends I want to be able
to look at the dates of the malware we know.

Now run HijackThis and do a Scan only.

Check the following and then Fix Checked. Ignore any
warnings.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.find-more.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.find-everything.com/index.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.find-
more.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.find-more.net/index.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,SearchURL = http://www.find-
more.net/sp.htm

O4 - HKLM\..\Run:
[AutoLoader2spz1JSgMYXN] "C:\WINDOWS\system32
\lcpfile.exe" /HideDir /HideUninstall /PC="CP.CDT4" /ShowL e
galNote="nonbranded"
O4 - HKLM\..\Run: [2F6P37P] lcpfile.exe



Now run ccleaner.exe. On the first page, uncheck
everything but the two lines
that have the word Temporary in them then Run Cleaner.

Reboot and make a new HijackThis log and send it to me and
let's see how we did.

If you have any problems with the instructions just ask.



Ron

(e-mail address removed)

.

 

[Steve Dodson [MSFT]]

Is Microsoft Antispyware not removing c-dilla?

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Dear Ron

Thanks for the advice, I live in the UK so follow a
slightly different sleep time. I do appreciate your
advice and hope you don't think for a second I was
demanding help (as someone has told me I seemed to be). I
will give what you advise a go. I would love to get my
hands on the complete gits who send out this adware cr*p!!

-----Original Message-----
Hey I live in Florida - Eastern Daylight Time. Got to
sleep sometime you know. Had 4 HijackThis logs in my
mailbox this morning when I came in to work and was just
getting ready to check the forums when I got an email from
Bill Sanderson alerting me to your post.

Get a copy of winsockxpfix.exe before you do anything.
This is just a safety item in case you can't get on the
internet afterwards.

http://www.iup.edu/house/resnet/winfix.shtm

Also download and install ccleaner.exe from
http://www.ccleaner.com. Don't let
it clean anything yet.

Now reboot into Safe Mode (start tapping F8 as soon as you
see the PC Maker's logo and keep tapping tell it brings up
the menu) and select Safe Mode (without Networking - the
top menu item).


Do Start, Run, cmd, OK to bring up a cmd window. (Or you
can do Start, All Programs, Accessories, Command Prompt
which does the same but requires me to type a lot more.)

Type each line and put an Enter at the end of each line:

dir /s \ > c:\junk1.txt
dir /ah /s \ > c:\junk2.txt

(Repeating the same with extra spaces so you can see the
spaces better

dir /s \ > c:\junk1.txt
dir /ah /s \ > c:\junk2.txt

The above is just more insurance stuff. IF we have to come
back and hunt for the malware's friends I want to be able
to look at the dates of the malware we know.

Now run HijackThis and do a Scan only.

Check the following and then Fix Checked. Ignore any
warnings.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.find-more.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.find-everything.com/index.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.find-
more.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.find-more.net/index.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,SearchURL = http://www.find-
more.net/sp.htm

O4 - HKLM\..\Run:
[AutoLoader2spz1JSgMYXN] "C:\WINDOWS\system32
\lcpfile.exe" /HideDir /HideUninstall /PC="CP.CDT4" /ShowL e
galNote="nonbranded"
O4 - HKLM\..\Run: [2F6P37P] lcpfile.exe



Now run ccleaner.exe. On the first page, uncheck
everything but the two lines
that have the word Temporary in them then Run Cleaner.

Reboot and make a new HijackThis log and send it to me and
let's see how we did.

If you have any problems with the instructions just ask.



Ron

(e-mail address removed)

.

 

[Ron Kinner]

-----Original Message-----
Is Microsoft Antispyware not removing c-dilla?

Problem with removing c-dilla is that supposedly
legitimate programs like TurboTax 2002 will force you to
run it. Apparently it keeps you from copying their
software and if you take it away their software stops
running. Enough customers protested to TurboTax about
this resource hog (which ran even when TurboTax wasn't
running) that they stopped using it.

AdAware (or was it Spybot) used to detect it but not
automatically check it for removal for that reason. Also
if you remove the file without disabling the service you
have major problems with the PC on boot.

It did try to call back to the mothership per my ZoneAlarm
and attempted to disguise its identity when it does so.
Came up as a bunch of ?'s in the Zone Alarm alert. Would
be nice if AntiSpy flagged it. Don't think it does but
can't be sure. Had it on my other PC but disabled. May
have removed the files before I installed AntiSpy but
don't remember.

Don't believe it's his problem tho. He has enough other
problems to account for his symptoms.

Ron