View Full Version : trouble, check this please?
mrsbaumer
09-08-2006, 01:16 AM
Logfile of HijackThis v1.99.1
Scan saved at 4:12:22 AM, on 9/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\program files\popupwithcast\septpop06apsept.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\Go ogleToolbarNotifier.exe
C:\WINDOWS\System32\SMANTE~1\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Documents and Settings\The Baums\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {B741EFF9-5039-7E90-1480-72E29B787093} - C:\WINDOWS\System32\ovulv.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsxAD.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B741EFF9-5039-7E90-1480-72E29B787093} - C:\WINDOWS\System32\ovulv.dll
O2 - BHO: (no name) - {D640D960-734D-482E-9BB0-60BFA24B8A7B} - C:\WINDOWS\System32\nnljh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PlayNowGames] C:\Program Files\PlayNow\PlayNowClient.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\Go ogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Etuo] "C:\WINDOWS\System32\SMANTE~1\rundll32.exe" -vt yazb
O4 - Startup: .protected
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/1c8/uploader2.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\THEBAU~1\LOCALS~1\Temp\m ma.chm::/joysavsht.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/183d57ffb183f5cfda06/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154064317853
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedtest2.dll
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\THEBAU~1\LOCALS~1\Temp\w infix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABE4F2ED-B334-466D-9ABF-2E18CBBB6BAD}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ntvdm.dll C:\WINDOWS\System32\ntvdm.dll
O20 - Winlogon Notify: nnljh - C:\WINDOWS\System32\nnljh.dll (file missing)
O20 - Winlogon Notify: winfvy32 - winfvy32.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
nightowl
09-08-2006, 10:11 PM
Download The Stand Alone Version of CW Shredder,Spybot, AdAware, (Links at the bottom of my message) If you have them allready make sure they are up to date.
You may want to print this out
Unplug the internet from your computer
Reboot To Safe Mode (tap F8 on Startup)
Delete these Files and or Folders
C:\program files\popupwithcast\septpop06apsept.exe
Still In Safe Mode Open up Hijack This and Place a check next to each of these and click Fix Checked.
R3 - URLSearchHook: (no name) - {B741EFF9-5039-7E90-1480-72E29B787093} - C:\WINDOWS\System32\ovulv.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsxAD.dll
O2 - BHO: (no name) - {B741EFF9-5039-7E90-1480-72E29B787093} - C:\WINDOWS\System32\ovulv.dll
O2 - BHO: (no name) - {D640D960-734D-482E-9BB0-60BFA24B8A7B} - C:\WINDOWS\System32\nnljh.dll (file missing)
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\Go ogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Etuo] "C:\WINDOWS\System32\SMANTE~1\rundll32.exe" -vt yazb
O4 - Startup: .protected
O4 - Global Startup: .protected
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.ed...vex-2.0.5.0.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\THEBAU~1\LOCALS~1\Temp\m ma.chm::/joysavsht.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/183d57f...ip/RdxIE601.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedt est2.dll
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\THEBAU~1\LOCALS~1\Temp\w infix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: ntvdm.dll C:\WINDOWS\System32\ntvdm.dll
O20 - Winlogon Notify: nnljh - C:\WINDOWS\System32\nnljh.dll (file missing)
O20 - Winlogon Notify: winfvy32 - winfvy32.dll (file missing)
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, AdAware and Spybot, Delete what they find , Empty Recycle Bin.
Plug the internet back in and Reboot to normal mode and run AVG Antivirus, Reboot again and post a new log.........Jim :eww
mrsbaumer
09-09-2006, 06:38 PM
Hi Jim,
thanks for taking the time to help me out
Here is the new scan
Logfile of HijackThis v1.99.1
Scan saved at 9:35:51 PM, on 9/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\The Baums\Application Data\F?nts\l?ass.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\The Baums\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {6A39A944-4881-6E73-A0DF-6743B16AA797} - C:\WINDOWS\System32\eqf.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A6BAA10-1CD5-3B29-A1DF-6743B16AA092} - C:\WINDOWS\System32\qwlar.dll (file missing)
O2 - BHO: (no name) - {6A39A944-4881-6E73-A0DF-6743B16AA797} - C:\WINDOWS\System32\eqf.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsxAD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Hzlrw] C:\Documents and Settings\The Baums\Application Data\F?nts\l?ass.exe
O4 - Startup: .protected
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/1c8/uploader2.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\THEBAU~1\LOCALS~1\Temp\m ma.chm::/joysavsht.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/183d57ffb183f5cfda06/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154064317853
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABE4F2ED-B334-466D-9ABF-2E18CBBB6BAD}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ntvdm.dll C:\WINDOWS\System32\ntvdm.dll
O20 - Winlogon Notify: nnljh - C:\WINDOWS\System32\nnljh.dll (file missing)
O20 - Winlogon Notify: winfvy32 - winfvy32.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
nightowl
09-10-2006, 09:45 PM
Download the trial version of Spy Sweeper from Here
http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02&WRSID=47e1dc08d597a7ec64bf9729da8fd856
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.
Empty Recycle Bin
Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread..........Jim
mrsbaumer
09-11-2006, 06:51 AM
Logfile of HijackThis v1.99.1
Scan saved at 9:46:06 AM, on 9/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Documents and Settings\The Baums\Application Data\F?nts\l?ass.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\The Baums\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R3 - URLSearchHook: (no name) - {6A39A944-4881-6E73-A0DF-6743B16AA797} - C:\WINDOWS\System32\eqf.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A6BAA10-1CD5-3B29-A1DF-6743B16AA092} - C:\WINDOWS\System32\qwlar.dll (file missing)
O2 - BHO: (no name) - {6A39A944-4881-6E73-A0DF-6743B16AA797} - C:\WINDOWS\System32\eqf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] "C:\WINDOWS\p_981116.exe" /Q:A
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Hzlrw] "C:\Documents and Settings\The Baums\Application Data\F?nts\l?ass.exe"
O4 - Startup: .protected
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/1c8/uploader2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/183d57ffb183f5cfda06/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154064317853
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABE4F2ED-B334-466D-9ABF-2E18CBBB6BAD}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ntvdm.dll C:\WINDOWS\System32\ntvdm.dll
O20 - Winlogon Notify: nnljh - C:\WINDOWS\System32\nnljh.dll (file missing)
O20 - Winlogon Notify: winfvy32 - winfvy32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
SpySweeper Log -
8:58 AM: | Start of Session, Monday, September 11, 2006 |
********
9:36 AM: Removal process completed. Elapsed time 00:00:33
9:36 AM: Quarantining All Traces: hermoment.com cookie
9:36 AM: Quarantining All Traces: upspiral cookie
9:36 AM: Quarantining All Traces: redzip cookie
9:36 AM: Quarantining All Traces: expage cookie
9:36 AM: Quarantining All Traces: adminder cookie
9:36 AM: Quarantining All Traces: clicktracks cookie
9:36 AM: Quarantining All Traces: statcounter cookie
9:36 AM: Quarantining All Traces: servlet cookie
9:36 AM: Quarantining All Traces: search123 cookie
9:36 AM: Quarantining All Traces: tvguide cookie
9:36 AM: Quarantining All Traces: rn11 cookie
9:36 AM: Quarantining All Traces: passion cookie
9:36 AM: Quarantining All Traces: partypoker cookie
9:36 AM: Quarantining All Traces: realmedia cookie
9:36 AM: Quarantining All Traces: webtrends cookie
9:36 AM: Quarantining All Traces: infospace cookie
9:36 AM: Quarantining All Traces: ic-live cookie
9:36 AM: Quarantining All Traces: screensavers.com cookie
9:36 AM: Quarantining All Traces: howstuffworks cookie
9:36 AM: Quarantining All Traces: gostats cookie
9:36 AM: Quarantining All Traces: did-it cookie
9:36 AM: Quarantining All Traces: dealtime cookie
9:36 AM: Quarantining All Traces: customer cookie
9:36 AM: Quarantining All Traces: coolsavings cookie
9:36 AM: Quarantining All Traces: ccbill cookie
9:36 AM: Quarantining All Traces: cassava cookie
9:36 AM: Quarantining All Traces: goclick cookie
9:36 AM: Quarantining All Traces: enhance cookie
9:36 AM: Quarantining All Traces: burstnet cookie
9:36 AM: Quarantining All Traces: bizrate cookie
9:36 AM: Quarantining All Traces: belnk cookie
9:36 AM: Quarantining All Traces: a cookie
9:36 AM: Quarantining All Traces: atwola cookie
9:36 AM: Quarantining All Traces: ask cookie
9:36 AM: Quarantining All Traces: gamespy cookie
9:36 AM: Quarantining All Traces: angelfire cookie
9:36 AM: Quarantining All Traces: adultfriendfinder cookie
9:36 AM: Quarantining All Traces: hbmediapro cookie
9:36 AM: Quarantining All Traces: adlegend cookie
9:36 AM: Quarantining All Traces: adknowledge cookie
9:36 AM: Quarantining All Traces: yieldmanager cookie
9:36 AM: Quarantining All Traces: about cookie
9:36 AM: Quarantining All Traces: go.com cookie
9:36 AM: Quarantining All Traces: 888 cookie
9:36 AM: Quarantining All Traces: webhancer
9:36 AM: Quarantining All Traces: system doctor 2006
9:36 AM: Quarantining All Traces: mirar webband
9:36 AM: Quarantining All Traces: ezula ilookup
9:36 AM: Quarantining All Traces: elitemediagroup-mediamotor
9:36 AM: Quarantining All Traces: maxifiles
9:36 AM: Quarantining All Traces: purityscan
9:36 AM: Quarantining All Traces: trojan agent winlogonhook
9:36 AM: Removal process initiated
9:35 AM: Traces Found: 105
9:35 AM: Full Sweep has completed. Elapsed time 00:33:12
9:35 AM: HKLM\software\microsoft\windows\currentversion\mod uleusage\c:/windows/system32/safe.tlb\ (ID = 1524765)
9:35 AM: File Sweep Complete, Elapsed Time: 00:29:16
9:33 AM: The Spy Communication shield has blocked access to: UPDATE2.OUTERINFO.COM
9:33 AM: The Spy Communication shield has blocked access to: UPDATE2.OUTERINFO.COM
9:29 AM: Warning: Stream read error
9:28 AM: Warning: Stream read error
9:28 AM: The Spy Communication shield has blocked access to: MOONUNITPALACE.COM
9:28 AM: The Spy Communication shield has blocked access to: MOONUNITPALACE.COM
9:28 AM: The Spy Communication shield has blocked access to: CAMPAIGNS.OUTERINFO.COM
9:28 AM: The Spy Communication shield has blocked access to: CAMPAIGNS.OUTERINFO.COM
9:28 AM: Warning: Stream read error
9:28 AM: Warning: Stream read error
9:27 AM: Warning: Stream read error
9:21 AM: C:\WINDOWS\system32\S?mantec\rundll32.exe (ID = 447)
9:21 AM: Found Adware: purityscan
9:21 AM: C:\WINDOWS\LastGood\whAgent.inf (ID = 83821)
9:21 AM: Found Adware: webhancer
9:20 AM: C:\WINDOWS\system32\safe.tlb (ID = 318895)
9:19 AM: C:\System Volume Information\_restore{56f184df-a7ad-4038-8d8d-2120241d641f}\RP1\A0001036.exe (ID = 336869)
9:16 AM: C:\WINDOWS\LastGood\Downloaded Program Files\amm06.inf (ID = 297265)
9:08 AM: C:\Documents and Settings\The Baums\Desktop\backups\backup-20060909-181330-419.inf (ID = 297265)
9:06 AM: C:\Documents and Settings\The Baums\Application Data\SystemDoctor 2006 Free (2 subtraces) (ID = 2147525737)
9:06 AM: Found Adware: system doctor 2006
9:06 AM: Starting File Sweep
9:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www4.hermoment[2].txt (ID = 2774)
9:06 AM: Found Spy Cookie: hermoment.com cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www.upspiral[2].txt (ID = 3615)
9:06 AM: Found Spy Cookie: upspiral cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www.screensavers[1].txt (ID = 3298)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www.redzip[2].txt (ID = 3250)
9:06 AM: Found Spy Cookie: redzip cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www.expage[1].txt (ID = 2638)
9:06 AM: Found Spy Cookie: expage cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www.burstnet[1].txt (ID = 2337)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@www.adminder[2].txt (ID = 2079)
9:06 AM: Found Spy Cookie: adminder cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@tvguide[2].txt (ID = 3599)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@tv.about[2].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@stats2.clicktracks[1].txt (ID = 2407)
9:06 AM: Found Spy Cookie: clicktracks cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@statcounter[1].txt (ID = 3447)
9:06 AM: Found Spy Cookie: statcounter cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@stat.dealtime[1].txt (ID = 2506)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@servlet[2].txt (ID = 3345)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@servlet[1].txt (ID = 3345)
9:06 AM: Found Spy Cookie: servlet cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@search123[1].txt (ID = 3305)
9:06 AM: Found Spy Cookie: search123 cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@sdc.tvguide[1].txt (ID = 3600)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@screensavers[1].txt (ID = 3297)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@rsi.tvguide[1].txt (ID = 3600)
9:06 AM: Found Spy Cookie: tvguide cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@rn11[2].txt (ID = 3261)
9:06 AM: Found Spy Cookie: rn11 cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@poker.about[1].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@passion[2].txt (ID = 3113)
9:06 AM: Found Spy Cookie: passion cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@partypoker[2].txt (ID = 3111)
9:06 AM: Found Spy Cookie: partypoker cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@orthopedics.about[1].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@network.realmedia[1].txt (ID = 3236)
9:06 AM: Found Spy Cookie: realmedia cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@m.webtrends[2].txt (ID = 3669)
9:06 AM: Found Spy Cookie: webtrends cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@infospace[1].txt (ID = 2865)
9:06 AM: Found Spy Cookie: infospace cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@ic-live[1].txt (ID = 2821)
9:06 AM: Found Spy Cookie: ic-live cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@i.screensavers[2].txt (ID = 3298)
9:06 AM: Found Spy Cookie: screensavers.com cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@howstuffworks[2].txt (ID = 2805)
9:06 AM: Found Spy Cookie: howstuffworks cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@go[1].txt (ID = 2728)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@gostats[1].txt (ID = 2747)
9:06 AM: Found Spy Cookie: gostats cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@gamespy[1].txt (ID = 2719)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@frugalliving.about[2].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@email.about[1].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@dist.belnk[2].txt (ID = 2293)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@did-it[1].txt (ID = 2523)
9:06 AM: Found Spy Cookie: did-it cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@dealtime[1].txt (ID = 2505)
9:06 AM: Found Spy Cookie: dealtime cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@customer[2].txt (ID = 2481)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@customer[1].txt (ID = 2481)
9:06 AM: Found Spy Cookie: customer cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@coolsavings[1].txt (ID = 2465)
9:06 AM: Found Spy Cookie: coolsavings cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@ccbill[1].txt (ID = 2369)
9:06 AM: Found Spy Cookie: ccbill cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@cats.about[1].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@cassava[1].txt (ID = 2362)
9:06 AM: Found Spy Cookie: cassava cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@c.goclick[1].txt (ID = 2733)
9:06 AM: Found Spy Cookie: goclick cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@c.enhance[1].txt (ID = 2614)
9:06 AM: Found Spy Cookie: enhance cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@burstnet[2].txt (ID = 2336)
9:06 AM: Found Spy Cookie: burstnet cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@bizrate[1].txt (ID = 2308)
9:06 AM: Found Spy Cookie: bizrate cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@belnk[1].txt (ID = 2292)
9:06 AM: Found Spy Cookie: belnk cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@a[1].txt (ID = 2027)
9:06 AM: Found Spy Cookie: a cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@atwola[1].txt (ID = 2255)
9:06 AM: Found Spy Cookie: atwola cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@asthma.about[2].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@ask[2].txt (ID = 2245)
9:06 AM: Found Spy Cookie: ask cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@arthritis.about[1].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@arena.gamespy[2].txt (ID = 2719)
9:06 AM: Found Spy Cookie: gamespy cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@antivirus.about[1].txt (ID = 2038)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@angelfire[1].txt (ID = 2221)
9:06 AM: Found Spy Cookie: angelfire cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@adultfriendfinder[2].txt (ID = 2165)
9:06 AM: Found Spy Cookie: adultfriendfinder cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@adopt.hbmediapro[2].txt (ID = 2768)
9:06 AM: Found Spy Cookie: hbmediapro cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@adlegend[1].txt (ID = 2074)
9:06 AM: Found Spy Cookie: adlegend cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@adknowledge[2].txt (ID = 2072)
9:06 AM: Found Spy Cookie: adknowledge cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@ad.yieldmanager[2].txt (ID = 3751)
9:06 AM: Found Spy Cookie: yieldmanager cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@about[2].txt (ID = 2037)
9:06 AM: Found Spy Cookie: about cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@abcnews.go[1].txt (ID = 2729)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@abcfamily.go[1].txt (ID = 2729)
9:06 AM: c:\documents and settings\the baums\cookies\the baums@abc.go[1].txt (ID = 2729)
9:06 AM: Found Spy Cookie: go.com cookie
9:06 AM: c:\documents and settings\the baums\cookies\the baums@888[1].txt (ID = 2019)
9:06 AM: Found Spy Cookie: 888 cookie
9:06 AM: Starting Cookie Sweep
9:05 AM: Registry Sweep Complete, Elapsed Time:00:00:29
9:05 AM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\inprocserver32\ (ID = 1626309)
9:05 AM: HKLM\software\classes\typelib\{6708e89b-9603-449b-964d-977ba6c29eac}\ (ID = 1617120)
9:05 AM: HKLM\software\classes\clsid\{e055c02e-6258-40ff-80a7-3bda52facad7}\ (ID = 1617105)
9:05 AM: HKLM\software\classes\toolbarinst.installer.1\ (ID = 1617091)
9:05 AM: HKLM\software\classes\toolbarinst.installer\ (ID = 1617085)
9:05 AM: HKCR\typelib\{6708e89b-9603-449b-964d-977ba6c29eac}\ (ID = 1617056)
9:05 AM: HKCR\clsid\{e055c02e-6258-40ff-80a7-3bda52facad7}\ (ID = 1617041)
9:05 AM: HKCR\toolbarinst.installer.1\ (ID = 1617026)
9:05 AM: HKCR\toolbarinst.installer\ (ID = 1617020)
9:05 AM: HKLM\software\microsoft\windows\currentversion\exp lorer\browser helper objects\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586270)
9:05 AM: HKLM\software\classes\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586223)
9:05 AM: HKLM\software\classes\crypt.core.1\ (ID = 1586219)
9:05 AM: HKLM\software\classes\crypt.core\ (ID = 1586213)
9:05 AM: HKLM\software\classes\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586201)
9:05 AM: HKLM\software\classes\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586189)
9:05 AM: HKCR\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586179)
9:05 AM: HKCR\crypt.core.1\ (ID = 1586175)
9:05 AM: HKCR\crypt.core\ (ID = 1586169)
9:05 AM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586157)
9:05 AM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586145)
9:05 AM: HKLM\software\microsoft\code store database\distribution units\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323895)
9:05 AM: Found Adware: elitemediagroup-mediamotor
9:05 AM: HKLM\software\classes\onone.theimp.1\ (ID = 1221523)
9:05 AM: HKLM\software\classes\onone.theimp\ (ID = 1221515)
9:05 AM: HKCR\onone.theimp.1\ (ID = 1221367)
9:05 AM: HKCR\onone.theimp\ (ID = 1221362)
9:05 AM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
9:05 AM: Found Trojan Horse: trojan agent winlogonhook
9:05 AM: HKLM\software\microsoft\code store database\distribution units\{43331111-1111-1111-1111-611111195622}\ (ID = 135096)
9:05 AM: Found Adware: mirar webband
9:05 AM: Starting Registry Sweep
9:05 AM: Memory Sweep Complete, Elapsed Time: 00:03:03
9:02 AM: Starting Memory Sweep
9:02 AM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\inprocserver32\ (ID = 1625910)
9:02 AM: Found Adware: ezula ilookup
9:02 AM: HKCR\clsid\{e055c02e-6258-40ff-80a7-3bda52facad7}\inprocserver32\ (ID = 1617164)
9:02 AM: Found Adware: maxifiles
9:02 AM: Sweep initiated using definitions version 757
9:02 AM: Spy Sweeper 5.0.5.1286 started
9:02 AM: | Start of Session, Monday, September 11, 2006 |
********
nightowl
09-11-2006, 10:55 AM
That program picked up quite a bit, Still some bad entries on your log. Make sure you are in safe Mode when you remove these.
Delete these Files and or Folders
C:\Documents and Settings\The Baums\Application Data\F?nts\l?ass.exe
Still In Safe Mode Open up Hijack This and Place a check next to each of these and click Fix Checked.
R3 - URLSearchHook: (no name) - {6A39A944-4881-6E73-A0DF-6743B16AA797} - C:\WINDOWS\System32\eqf.dll (file missing)
O2 - BHO: (no name) - {3A6BAA10-1CD5-3B29-A1DF-6743B16AA092} - C:\WINDOWS\System32\qwlar.dll (file missing)
O2 - BHO: (no name) - {6A39A944-4881-6E73-A0DF-6743B16AA797} - C:\WINDOWS\System32\eqf.dll (file missing)
O4 - HKCU\..\Run: [Hzlrw] "C:\Documents and Settings\The Baums\Application Data\F?nts\l?ass.exe"
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.ed...vex-2.0.5.0.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedt est2.dll
O20 - AppInit_DLLs: ntvdm.dll C:\WINDOWS\System32\ntvdm.dll
O20 - Winlogon Notify: nnljh - C:\WINDOWS\System32\nnljh.dll (file missing)
O20 - Winlogon Notify: winfvy32 - winfvy32.dll (file missing)
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run Ewido, AdAware and Spybot, Delete what they find , Empty Recycle Bin.
Plug the internet back in and Reboot to normal mode and post a new log..........Jim
mrsbaumer
09-12-2006, 01:53 AM
Logfile of HijackThis v1.99.1
Scan saved at 5:43:03 PM, on 9/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\The Baums\Desktop\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] "C:\WINDOWS\p_981116.exe" /Q:A
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: .protected
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/1c8/uploader2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/183d57ffb183f5cfda06/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154064317853
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABE4F2ED-B334-466D-9ABF-2E18CBBB6BAD}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
nightowl
09-13-2006, 09:59 AM
How is it running? Its Starting to look better. A few things here. Remove In Safe Mode then run your Spyware programs again. Then post a new log.........Jim
O4 - Startup: .protected
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: .protected
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/183d57f...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
mrsbaumer
09-15-2006, 12:41 PM
Hi there,
Thanks again for all your help
HiJackThis will not remove
04- Startup:.protected or
04 Global Startup:.protected
??
I can also not do a disc clean up
I go to start, accessories, system tools, disc clean up and it just hangs, I went to work and it was still just sitting there when I got home.
?? hmmmm......
nightowl
09-17-2006, 10:56 AM
Post your log on this message board. Tell them what the computers symptoms are. Looks like something new.
http://www.forums.security-central.us/forumdisplay.php?f=13
Give them a Link to this thread and Give me a link to the thread they are helping you on.They are pretty knolegeable over there and very helpful........Jim :cool:
mrsbaumer
09-18-2006, 03:56 AM
http://forums.security-central.us/showthread.php?t=4017
here is the link to the other forum, hope they can help
also here is my latest log, dont know if it has changed or not
Logfile of HijackThis v1.99.1
Scan saved at 6:48:41 AM, on 9/18/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Baums\Desktop\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] "C:\WINDOWS\p_981116.exe" /Q:A
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: .protected
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/1c8/uploader2.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154064317853
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABE4F2ED-B334-466D-9ABF-2E18CBBB6BAD}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
nightowl
09-18-2006, 11:03 AM
Thanks for the link, I'll keep an eye on it. I need to watch what they do so I can help others when this problem appears again. :vivi
Looks like they want you to run a few more programs. Follow the directions carefully...........Jim
vBulletin® v3.7.0, Copyright ©2000-2009, Jelsoft Enterprises Ltd.