Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of the logfile
C:\fixwareout\report.txt
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically Press OK twice to get out of the properties screen and reboot if it asks. That option might not be avaiable on some systems
Next Go start run type
cmd and hit
OK type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type
exit hit enter
Logfile of HijackThis v1.99.1
Scan saved at 10:07:33 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PowerBar"=""
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
Click on Start Scan.
after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
If any infections are found, (After you save the logfile), Click on Remove Infections.
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Risk: Medium
Name: TrackingCookie.Pointroll
Path: C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Risk: Medium
Name: TrackingCookie.Clickbank
Path: C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
Risk: Medium
Name: TrackingCookie.Com
Path: C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Risk: Medium
Name: TrackingCookie.Enhance
Path: C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
Risk: Medium
Name: TrackingCookie.Fastclick
Path: C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
Risk: Medium
Name: TrackingCookie.Findwhat
Path: C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Pro-market
Path: C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[2].txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
Risk: Medium
Name: TrackingCookie.Revsci
Path: C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
Risk: Medium
Name: TrackingCookie.Liveperson
Path: C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt
Risk: Medium
Name: Adware.Generic
Path: C:\Program Files\MovieCommander
Risk: Medium
Name: Adware.Generic
Path: C:\Program Files\MovieCommander\Uninstall.exe
Risk: Medium
Name: Adware.BHO
Path: C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\bfgt_silent_en.exe/nickarcade.dll
Risk: Medium
Name: Adware.BHO
Path: C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\bfgt_silent_en.exe/nickarcade.dll
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp
Risk: Medium
Name: TrackingCookie.Atdmt
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp
Risk: Medium
Name: TrackingCookie.Webtrendslive
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
Risk: Medium
Name: TrackingCookie.Clickbank
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp
Risk: Medium
Name: TrackingCookie.Com
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E7.tmp
Risk: Medium
Name: TrackingCookie.Atdmt
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E8.tmp
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E9.tmp
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EA.tmp
Risk: Medium
Name: TrackingCookie.Ru4
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EB.tmp
Risk: Medium
Name: TrackingCookie.Fastclick
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EC.tmp
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EE.tmp
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EF.tmp
Risk: Medium
Name: TrackingCookie.Realmedia
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F0.tmp
Risk: Medium
Name: TrackingCookie.Spylog
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F1.tmp
Risk: Medium
Name: TrackingCookie.Tradedoubler
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F2.tmp
Risk: Medium
Name: TrackingCookie.Trafficmp
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F3.tmp
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F4.tmp
Risk: Medium
Name: TrackingCookie.Adserver
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F5.tmp
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC6.tmp
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC7.tmp
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC8.tmp
Risk: Medium
Name: TrackingCookie.Ru4
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC9.tmp
Risk: Medium
Name: TrackingCookie.Liveperson
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCB.tmp
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD1.tmp
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD2.tmp
Risk: Medium
Name: TrackingCookie.Webtrends
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD3.tmp
Risk: Medium
Name: TrackingCookie.Liveperson
Path: C:\WINDOWS\Temp\Cookies\administrator@sales.liveperson[1].txt
Risk: Medium
Name: TrackingCookie.Aavalue
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@aavalue[2].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@adopt.specificclick[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@burstnet[2].txt
Risk: Medium
Name: TrackingCookie.Aavalue
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@lovefreegames.aavalue[2].txt
Risk: Medium
Name: TrackingCookie.Real
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@realguide.real[1].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@search.msn[1].txt
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@www.burstbeacon[1].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@adopt.specificclick[2].txt
Risk: Medium
Name: TrackingCookie.Bpath
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@ads15.bpath[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@anad.tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@anat.tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@burstnet[2].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@data2.perf.overture[1].txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@m.webtrends[1].txt
Risk: Medium
Name: TrackingCookie.Liveperson
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@sales.liveperson[2].txt
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@www.burstbeacon[1].txt
Risk: Medium
Name: TrackingCookie.Paypal
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@www.paypal[1].txt
Risk: Medium
Name: TrackingCookie.Admarketplace
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@ad.admarketplace[1].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@adopt.specificclick[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@burstnet[1].txt
Risk: Medium
Name: TrackingCookie.Enhance
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@c.enhance[2].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@data2.perf.overture[2].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@ehg-dig.hitbox[2].txt
Risk: Medium
Name: TrackingCookie.Real
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@guide.real[1].txt
Risk: Medium
Name: TrackingCookie.Real
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@realguide.real[1].txt
Risk: Medium
Name: TrackingCookie.Liveperson
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@sales.liveperson[2].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@search.msn[2].txt
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@www.burstbeacon[1].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: F:\Old Computer\Documents and Settings\David\Application Data\Earthlink\6.0\poyam@earthlink.net\Cookies\david@search.msn[2].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@anad.tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Liveperson
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@sales.liveperson[1].txt
Risk: Medium
Name: TrackingCookie.Live
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@search.live[1].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@search.msn[1].txt
Risk: Medium
Name: Adware.Aws
Path: F:\Old Computer\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Risk: Medium
Computer is running much better and is not redirecting anymore. Virus software keeps poping up finding same malware w32/malwarehiderpatcched-based... but i guess that is what its suppose to do. Thanks a million for all your help!
Logfile of HijackThis v1.99.1
Scan saved at 6:58:39 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
1. Download this file -
combofix.exe 2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
C:\System Volume Information\_restore{AF7A8AA9-674E-452E-8842-00362CD9E12A}\RP455\A0097556.exe/nickarcade.dll -> Adware.BHO : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-win2000mag.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
1.*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Download CCleaner from here to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
2. Run an online virus scan called
Kaspersky from
HERE.
1. Click on " Kaspersky Online Scanner" 2. A new smaller window will pop up. Press on " Accept". After reading the contents. 3. Now Kaspersky will update the anti-virus database. Let it run. 4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK. 5. Then click on " My Computer". And the scan will start. 6. Once finished, save a log as ". txt" to the desktop.
Copy and post the results of the Kaspersky Online scan
I think the computer is running correct now. Thanks for all your help!!
That's one computer down and one to go... Can you check out the follwing log from my laptop?
Thanks again.
This computer is running super slow and my outlook won't work. Keeps telling me something about the contact manager files missing and restarts over and over again...
Logfile of HijackThis v1.99.1
Scan saved at 09:10, on 2007-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
bamajim
10.4K Posts
0
May 29th, 2007 00:00
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter
bamajim Graduate of MRU
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 29th, 2007 01:00
Message Edited by zbestwun2001 on 05-28-2007 08:09 PM
Redraiderttt
8 Posts
0
May 29th, 2007 02:00
Scan saved at 10:07:33 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ArcadeRockstar\arcaderockstar32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: (no name) - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [arcaderockstar] "C:\Program Files\ArcadeRockstar\arcaderockstar32.exe"
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061023/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132020836918
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145054916656
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
Redraiderttt
8 Posts
0
May 29th, 2007 02:00
Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdlde.exe"
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
C:\WINDOWS\Temp\kdlde.ren 63874 08/04/2004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe\""
"arcaderockstar"="\"C:\\Program Files\\ArcadeRockstar\\arcaderockstar32.exe\""
"Earthlink Protection Control Center"="\"C:\\Program Files\\EarthLink\\EarthLink Protection Control Center\\BIN\\elnk_pcc2.exe\" /tray"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"InCD"="\"C:\\Program Files\\Ahead\\InCD\\InCD.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LGODDFU"="\"C:\\Program Files\\lg_fwupdate\\fwupdate.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"EPSON Stylus Photo RX500"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2K1.EXE\" /P24 \"EPSON Stylus Photo RX500\" /O6 \"USB001\" /M \"Stylus Photo RX500\""
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PowerBar"=""
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 29th, 2007 02:00
I apologize this was the wrong thread, sorry Jim
Steve
bamajim
10.4K Posts
0
May 29th, 2007 12:00
1. Rerun Hiajckthis (scan only) and place a check beside the following entry
- R3 - URLSearchHook: (no name) - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - (no file)
Close all other open windows except Hijackthis and Select " Fix checked"Close Hijackthis
2. Please perform an Ewido Online Malware Scan
Redraiderttt
8 Posts
0
May 31st, 2007 02:00
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[2].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt
Risk: Medium
Path: C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt
Risk: Medium
Path: C:\Program Files\MovieCommander
Risk: Medium
Path: C:\Program Files\MovieCommander\Uninstall.exe
Risk: Medium
Path: C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\bfgt_silent_en.exe/nickarcade.dll
Risk: Medium
Path: C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\bfgt_silent_en.exe/nickarcade.dll
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E7.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E8.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E9.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EA.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EB.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EC.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EE.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6EF.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F0.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F1.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F2.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F3.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F4.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F5.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC6.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC7.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC8.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC9.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCB.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD1.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD2.tmp
Risk: Medium
Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD3.tmp
Risk: Medium
Path: C:\WINDOWS\Temp\Cookies\administrator@sales.liveperson[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@aavalue[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@adopt.specificclick[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@burstnet[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@lovefreegames.aavalue[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@realguide.real[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@search.msn[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Stephen\Cookies\stephen@www.burstbeacon[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@adopt.specificclick[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@ads15.bpath[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@anad.tacoda[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@anat.tacoda[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@burstnet[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@data2.perf.overture[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@m.webtrends[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@sales.liveperson[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@www.burstbeacon[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Cookies\sheri@www.paypal[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@ad.admarketplace[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@adopt.specificclick[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@burstnet[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@c.enhance[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@data2.perf.overture[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@ehg-dig.hitbox[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@guide.real[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@realguide.real[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@sales.liveperson[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@search.msn[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\Sheri\Application Data\Earthlink\6.0\sheri.hall@earthlink.net\Cookies\sheri@www.burstbeacon[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\David\Application Data\Earthlink\6.0\poyam@earthlink.net\Cookies\david@search.msn[2].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@anad.tacoda[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@sales.liveperson[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@search.live[1].txt
Risk: Medium
Path: F:\Old Computer\Documents and Settings\David\Cookies\david@search.msn[1].txt
Risk: Medium
Path: F:\Old Computer\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Risk: Medium
Path: F:\Old Computer\Program Files\DIGStream\digstream.exe
Risk: Low
Path: F:\Old Computer\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq1584.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq304.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq305.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq308.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq30A.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq30B.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq30C.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq30D.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq30E.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq30F.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq560.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq5A0.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq5A1.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq5A2.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq5A3.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq5A4.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq5A6.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq95.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq9A.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq9C.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppq9D.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA0.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA1.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA3.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA4.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA6.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA7.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA8.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqA9.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqAA.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqAB.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqAD.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB3.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB4.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB5.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB7.tmp
Risk: Medium
Path: F:\Old Computer\Program Files\Yahoo!\YPSR\Quarantine\ppqB8.tmp
Risk: Medium
bamajim
10.4K Posts
0
May 31st, 2007 14:00
Redraiderttt
8 Posts
0
June 1st, 2007 11:00
Scan saved at 6:58:39 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ArcadeRockstar\arcaderockstar32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\AuthFw.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [arcaderockstar] "C:\Program Files\ArcadeRockstar\arcaderockstar32.exe"
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061023/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132020836918
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145054916656
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
bamajim
10.4K Posts
0
June 1st, 2007 14:00
We better take another look
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Redraiderttt
8 Posts
0
June 2nd, 2007 17:00
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Administrator\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\DOCUME~1\ADMINI~1\Desktop\internet.lnk"
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NWSAPAGENT
-------\NwSapAgent
((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))
2007-06-02 12:29
2007-06-02 10:52
2007-06-02 10:52
2007-06-02 10:52
2007-06-02 10:52
2007-06-02 10:50
2007-06-02 10:49
2007-06-02 10:49
2007-05-28 21:48 9,089 --a------ C:\dnsbak.reg
2007-05-28 17:33
2007-05-28 13:36 81,024 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-05-28 13:36 105,856 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-05-28 13:35 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-05-28 13:35
2007-05-28 13:25
2007-05-28 12:53 164 --a------ C:\install.dat
2007-05-28 12:34
2007-05-28 12:21
2007-05-27 22:29 1,445,888 --ah----- C:\AFCache.dat
2007-05-27 22:12
2007-05-27 22:12
2007-05-27 22:11
2007-05-27 17:55 98,304 --a------ C:\WINDOWS\system32\E_SAGSET.DLL
2007-05-27 17:55 79,622 --a------ C:\WINDOWS\system32\EBPMON24.DLL
2007-05-27 17:55 64,000 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2007-05-27 17:55 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2007-05-27 17:53
2007-05-27 17:53
2007-05-27 17:48 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-05-27 17:47 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-27 17:40 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-05-27 17:40 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-05-26 11:27
2007-05-26 10:31
2007-05-26 10:31
2007-05-25 20:43
2007-05-25 20:38
2007-05-25 20:38
2007-05-25 20:38
2007-05-25 20:01
2007-05-25 19:34
2007-05-25 19:34
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-02 14:28:35 -------- d-----w C:\Program Files\Common Files\Command Software
2007-06-01 23:02:59 -------- d-----w C:\Program Files\ArcadeRockstar
2007-05-31 03:55:49 -------- d-----w C:\Program Files\SpongeBob SquarePants Obstacle Odyssey
2007-05-28 03:29:06 -------- d-----w C:\Program Files\Common Files\ADS
2007-05-26 15:30:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:29:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-26 01:41:57 -------- d-----w C:\Program Files\LEGO Media
2007-05-26 00:33:26 -------- d-----w C:\Program Files\QuickTime
2007-05-26 00:31:47 -------- d-----w C:\Program Files\Apple Software Update
2007-04-23 00:30:15 -------- d-----w C:\Program Files\Microsoft WSE
2007-04-23 00:29:52 -------- d-----w C:\Program Files\EarthLink
2007-04-23 00:29:13 -------- d-----w C:\Program Files\Common Files\EarthLink Protection Control Center
2007-04-23 00:28:39 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 01:11:03 1,187,840 ----a-w C:\AluriaCacheFile.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
{00000000-0000-0000-0000-000000000002}=C:\Program Files\EarthLink\Toolbar\EScamBlk.dll [2003-12-20 23:18]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 21:12]
{15F4D456-5BAA-4076-8486-EECB38CD3E57}=C:\Program Files\EarthLink\Toolbar\EScamBlk.dll [2003-12-20 23:18]
{512ACF1B-64D9-4928-B382-A80556F28DB4}=C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll [2003-12-20 23:18]
{9579D574-D4D8-4335-9560-FE8641A013BD}=C:\Program Files\EarthLink\Toolbar\ProtctIE.dll [2003-12-20 23:18]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{E713904C-DF05-4C79-BBAD-02DB923253BE}=C:\Program Files\EarthLink\Toolbar\uninsttb.dll [2003-12-20 23:18]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"Earthlink Protection Control Center"="C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-04-26 11:21]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 09:25]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2005-04-12 10:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-05-16 09:35]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"PowerBar"="" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-04 20:20]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
2007-05-28 14:16:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
Rootkit scan 2007-06-02 13:28:03
Windows 5.1.2600 Service Pack 2 NTFS
PowerBar = ????????l?@?????????D??????w???????????????wl?@?l?@????? ???????????g??w???w???????w???wx??????????w???????? ??????????????|x???0????????????C?g???w????????????????3h??????????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@
hidden files: 0
********************************************************************
C:\ComboFix-quarantined-files.txt ... 2007-06-02 13:32
Redraiderttt
8 Posts
0
June 2nd, 2007 20:00
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-win2000mag.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
::Report end
bamajim
10.4K Posts
0
June 3rd, 2007 00:00
I see nothing there.
1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Download CCleaner from here to clean temp files from your computer.
2. Run an online virus scan called Kaspersky from HERE.
- 1. Click on " Kaspersky Online Scanner"
Copy and post the results of the Kaspersky Online scan2. A new smaller window will pop up. Press on " Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
5. Then click on " My Computer". And the scan will start.
6. Once finished, save a log as ". txt" to the desktop.
Redraiderttt
8 Posts
0
June 9th, 2007 13:00
Scan saved at 09:10, on 2007-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = headquarters.bajcoind.com
O17 - HKLM\Software\..\Telephony: DomainName = headquarters.bajcoind.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = headquarters.bajcoind.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = headquarters.bajcoind.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = headquarters.bajcoind.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
bamajim
10.4K Posts
0
June 10th, 2007 11:00
I don't see anything malware/spyware relatedin that log. I would run CCleaner on it, if you have not already done so.
The error you are getting is an error in Outlook. You may want to refer to this Link to see if that will help you resolve the issue.