Post by: Heather on April 23, 2006, 07:19:27 PM
I am currently running in safe mode because I cannot boot in regular mode I get an error message of application failure with a code of (0cx0000022)
here's what happened, I was running norton 2004 system works and firewall, and webroot spysweeper fine but figured they were both outdated and should have newer protection.
At Staples the comp guy suggested Mccaffey instead, said he cleaned out more stuff with it so I bought it (STUPID!!!) I planned on downloading the current spysweeper online.
Came home and disconnected dsl, uninstalled norton, uninstalled webroot (not sure why, guess I figured possible conflict or something?) installed Mccaffey re-installed webroot and went online to get the current webroot. Immediatly was hit with a blue screen saying spyware is outdated and to click link to download solution, also had windows balloon poping up from toolbar every 5 seconds telling me to click to solve problem. I noticed a new button on toolbar that wasn't there before and immediatly thought all of it was spyware. I attempted to go online to get latest webroot for solution but was locked out of IE. I was able to get on thru MSN and download new version. Ran it and it cleared 8 items however I still couldn't get my display back, totally locked out of display functions.
I disconnected from dsl again, uninstalled Mccaffey, re-installed Norton system works, and in the process it picked up "bloodhound.W32.EP" located in the C:\Windows\system32\wininet.dll
I chose yes to remove, it completed installation and asked to re-boot, I did, it gave error message to the effect that item could not be accessed to be removed and proceeded to re-boot. I tried to log on to my screen (the only one) and got error message cited above(application failure)
I contacted Windows support and spent 2 hours following instructions and trying different solutions, ie, permissions, xp scan with installation disk, and several other things I barely remember. anyway, the guy at windows said he cannot help me remove bloodhound till I have my desktop back and I cannot get desktop back till the freakin bloodhound is gone.
so my questions are, can you help?
can I safely run hijack in safe mode?
am I totally screwed?
thanks for being willing to read this far.
Heather
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Post by: guestolo on April 23, 2006, 08:31:41 PM
Extract the contents (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the contents of that report into your next reply.
Post by: Heather on April 23, 2006, 08:58:49 PM
C:\WINDOWS\system32\cmd.exe
SmitFraudFix v2.34
Fichier Process.exe absent!
Process.exe file missing! unzip all the archive in a folder.
Press any key to continue
at this point I press a key and the window disappears
hold up, stupid me didn't extract the folder at first, please stand by
ok, here it is, btw, thanks a million for being here
SmitFraudFix v2.34
Scan done at 18:57:19.40, Sun 04/23/2006
Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» C:\
C:\country.exe FOUND !
C:\kl1.exe FOUND !
C:\ms1.exe FOUND !
C:\tool1.exe FOUND !
C:\tool3.exe FOUND !
C:\tool4.exe FOUND !
C:\tool5.exe FOUND !
C:\toolbar.exe FOUND !
C:\uniq FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\paytime.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data
C:\Documents and Settings\Heather\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\heather\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\paytime.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
C:\WINDOWS\system32\wininet.dll infected !
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup
Volume in drive C has no label.
Volume Serial Number is E0AF-89FE
Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE
09/29/2004 11:27 AM 656,896 wininet.dll
1 File(s) 656,896 bytes
Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE
01/27/2005 10:08 AM 657,920 wininet.dll
1 File(s) 657,920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE
05/02/2005 01:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes
Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE
03/10/2005 12:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE
09/02/2005 04:53 PM 660,480 wininet.dll
1 File(s) 660,480 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE
07/02/2005 07:09 PM 659,456 wininet.dll
1 File(s) 659,456 bytes
Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE
10/20/2005 08:38 PM 661,504 wininet.dll
1 File(s) 661,504 bytes
Directory of C:\WINDOWS\$hf_mig$\KB912812\SP2QFE
03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/23/2004 08:32 PM 589,312 wininet.dll
1 File(s) 589,312 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2gdr
03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2qfe
03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes
Directory of C:\WINDOWS\SYSTEM32
03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes
»»»»»»»»»»»»»»»»»»»»»»»» End
Post by: guestolo on April 23, 2006, 09:06:25 PM
reboot.exe
restart.exe
SmitfraudFix.Cmd
SrchSTS.exe
swreg.exe
swsc.exe
Process.exe
If one of those are missing it won't work correctly
Take a look inside the folder
Note: if your AV is pegging it as a bad guy it may be removing the file
It is not malware, allow this file, don't remove process.exe
EDIT>>I see you figured it out
I'll be back with more instructions in a bit
Let me look over the files
Quote
I contacted Windows support and spent 2 hours following instructions and trying different solutions, ie, permissions, xp scan with installation disk, and several other things I barely remember. anyway, the guy at windows said he cannot help me remove bloodhound till I have my desktop back and I cannot get desktop back till the freakin bloodhound is gone.
Don't worry about contacting if we get your desktop back
We should get you clean if everything goes alright
In SAFE MODE
open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
If the tools requires you too reboot, please reboot back to Normal mode
Please post the contents of the SmitfraudFix log located at C:\rapport.txt
and a Hijackthis log
Post by: Heather on April 23, 2006, 09:20:05 PM
don't know how long this part should take
Post by: guestolo on April 23, 2006, 09:26:02 PM
and post the logs
When you were doing the cleaning instructions with SmitfraudFix did you have all browser windows closed on the machine?
It's a must!
Post by: Heather on April 23, 2006, 11:22:59 PM
I did run it again with browser windows closed, same result
I tried to re-boot in normal mode, same error
it reads Application Failed to initialize properly (0cx0000022) click on ok to terminate
there were no logs with the fraudfix other than the first one
ran search again here are the results
SmitFraudFix v2.34
Scan done at 21:18:17.59, Sun 04/23/2006
Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\heather\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
C:\WINDOWS\system32\wininet.dll infected !
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup
Volume in drive C has no label.
Volume Serial Number is E0AF-89FE
Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE
09/29/2004 11:27 AM 656,896 wininet.dll
1 File(s) 656,896 bytes
Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE
01/27/2005 10:08 AM 657,920 wininet.dll
1 File(s) 657,920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE
05/02/2005 01:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes
Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE
03/10/2005 12:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE
09/02/2005 04:53 PM 660,480 wininet.dll
1 File(s) 660,480 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE
07/02/2005 07:09 PM 659,456 wininet.dll
1 File(s) 659,456 bytes
Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE
10/20/2005 08:38 PM 661,504 wininet.dll
1 File(s) 661,504 bytes
Directory of C:\WINDOWS\$hf_mig$\KB912812\SP2QFE
03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/23/2004 08:32 PM 589,312 wininet.dll
1 File(s) 589,312 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2gdr
03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2qfe
03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes
Directory of C:\WINDOWS\SYSTEM32
03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes
»»»»»»»»»»»»»»»»»»»»»»»» End
Post by: guestolo on April 23, 2006, 11:23:41 PM
EDIT>>I see you posted the updated log
I want you to try the below fix
Then we'll see what things look like
Let's try the following
Download [color=\"#3333FF\"]smitRem.exe[/color] (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\") ©noahdfear, and save the file to your desktop.
Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.
(http://hijackthisaid.org/Pictures/infections/Smitextract.GIF)
(http://www.security-central.us/limg/smit%20icon.jpg)
In safe mode
================================================
Open the SmitRem folder located on the desktop
(http://hijackthisaid.org/Pictures/infections/spysmitrunbat.GIF)
Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
I'll need to see it later
Reboot back to Normal mode
Does that help you out?
Post the following
Whether it is from normal or safe mode
1. Post a fresh hijackthis log
2. Post the log created from Smitrem>>C:\Smitfiles.txt
Are you sure that SmitfraudFix didn't produce a log
When your looking for the Smitfiles.txt
Also look for the rapport.txt in the C:\folder
Open MyComputer and double click to open C: drive
Post by: Heather on April 23, 2006, 11:30:01 PM
Post by: guestolo on April 23, 2006, 11:30:55 PM
If not post back please
Post by: Heather on April 23, 2006, 11:37:56 PM
it seems as though I can choose the option from the menu in the archive
Post by: guestolo on April 23, 2006, 11:38:30 PM
and when you get to the Self Extracting Archive
Click START to extract the folder to desktop
EDIT>>>You MUST have all the files extracted to that folder for the fix too work
DO NOT assume you can run RunThis.bat by itself
Post by: Heather on April 23, 2006, 11:56:04 PM
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 04/23/2006
The current time is: 21:43:42.93
Running from
C:\Documents and Settings\Heather\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1356 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!!
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> Starting replacement procedure.~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~
~~~~ dllcache\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~
~~~~ C:\WINDOWS\$hf_mig$\KB890923\SP2QFE Present! ~~~~
~~~~ Checking KB890923\SP2QFE\wininet.dll for infection ~~~~
~~~~ KB890923\SP2QFE Clean! ~~~~
~~~ Replaced wininet.dll from KB890923\SP2QFE ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll not present!
oleext.dll not present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~
~~~~ C:\WINDOWS\system32\wininet.dll Clean!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> ~~~~SmitFraudFix v2.34
Scan done at 21:18:17.59, Sun 04/23/2006
Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\heather\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
C:\WINDOWS\system32\wininet.dll infected !
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup
Volume in drive C has no label.
Volume Serial Number is E0AF-89FE
Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE
09/29/2004 11:27 AM 656,896 wininet.dll
1 File(s) 656,896 bytes
Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE
01/27/2005 10:08 AM 657,920 wininet.dll
1 File(s) 657,920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE
05/02/2005 01:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes
Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE
03/10/2005 12:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE
09/02/2005 04:53 PM 660,480 wininet.dll
1 File(s) 660,480 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE
07/02/2005 07:09 PM 659,456 wininet.dll
1 File(s) 659,456 bytes
Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE
10/20/2005 08:38 PM 661,504 wininet.dll
1 File(s) 661,504 bytes
Directory of C:\WINDOWS\$hf_mig$\KB912812\SP2QFE
03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/23/2004 08:32 PM 589,312 wininet.dll
1 File(s) 589,312 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2gdr
03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2qfe
03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes
Directory of C:\WINDOWS\SYSTEM32
03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes
»»»»»»»»»»»»»»»»»»»»»»»» End
Post by: guestolo on April 24, 2006, 12:02:39 AM
Post by: Heather on April 24, 2006, 12:02:50 AM
Scan saved at 10:00:42 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab (http://\"http://www.truedoc.com/activex/tdserver.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab (http://\"http://www.gamehouse.com/games/tumblebugs/axhost.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab (http://\"http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab (http://\"http://anu.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on April 24, 2006, 12:39:21 AM
Open SpySweeper
Click: Options (left side)
Go to: Program Options
Uncheck: Load at windows startup
Click: Shields (left side), and uncheck all there items
Uncheck: Home Page Shield
Uncheck: Atomatically Restore Default Without Notification
Close SpySweeper
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" UNCHECK
- "Install background guard"
"Install scan via context menu".
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work
Can you review the page to help with the Updater from this link
http://www.ewido.net/en/support/?AID=26 (http://\"http://www.ewido.net/en/support/?AID=26\")
Reboot back to Safe mode
=Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab (http://\"http://anu.popcap.com/games/popcaploader_v6.cab\")
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot back to Normal mode and post a fresh hijackthis log
Also post the whole report from Ewido's please
Let me know how everythings running
Do you plan on removing Norton's as it appears it's expired
and installing McAfee's?
Let me know that too, one problem is that Norton's was probably out of date
and instead of disinfecting wininet.dll, it deleted it
Post by: Heather on April 24, 2006, 01:47:29 AM
IE shields (contains IE Favorites and IE security)
Host file shields
Windows system shields (containes memory, spy installation, active x, spy communication, ADS execution shield and Windows messenger service shield)
Start up shield [color=\"#FF0000\"]this one has a caution[/color]
Browser add on shield [color=\"#FF0000\"]this one has a caution[/color]
I don't see an option for "Atomatically Restore Default Without Notification"
I unchecked home page shield and a few others unchecked with it.
I unchecked load at windows startup
sorry to be dense, I just don't want to mess this up.
please advise further on spysweeper so that I may proceed to next steps.
as for Norton and Mcaffee, I figured I'd go agead and keep the norton and buy the update unless you have a better thought. The Mcaffee is only antivirus and I didn't seem to have any of these problems till I put it in.
Post by: guestolo on April 24, 2006, 08:38:43 AM
Post by: Heather on April 24, 2006, 12:00:53 PM
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 2:34:05 AM, 4/24/2006
+ Report-Checksum: 29406E07
+ Scan result:
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@a-1shz2prbmdj6wvny-1sez2pra2dj6wjk4uoczchow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sdzieoqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Counted : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiulc5aaqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4kiazsaqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4umczaaqaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkockcpmhqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyajdjslqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyalajicpgqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyemcpacpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykkazcfoqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysgcjmlqawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4cpc5mdoawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlieiajwfpg6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiohd5aeow6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmyond5mbpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyckdjagqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycmdzcdpqydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyelcpkdogudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyogcpgfpgsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkykgdjelqa-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@roispy[1].txt -> TrackingCookie.Roispy : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkisgdzkcow2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiulc5aaqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkoanczcdqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkysmc5cbpgsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyuocpiaoqidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4wpd5egogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkouhczsaqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyaicpihpqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyendpiepwudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkygnczmaqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykhdpsbowydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysmdpehpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyujcjocpgwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlickcjmlqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlikhdjwhpw6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyckajefqq2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycocjoepwsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygic5aaqqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyshdzklpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.k : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Sinowal.k : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119803.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119804.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119805.dll -> Trojan.Sinowal.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119806.dll -> Trojan.Sinowal.k : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119807.exe -> Trojan.Sinowal.k : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119808.exe -> Trojan.Sinowal.k : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119810.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119957.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0120983.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0120984.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0142275.exe -> Trojan.Sinowal.k : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 10:00:42 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab (http://\"http://www.truedoc.com/activex/tdserver.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab (http://\"http://www.gamehouse.com/games/tumblebugs/axhost.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab (http://\"http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab (http://\"http://anu.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: Heather on April 24, 2006, 12:48:09 PM
Updating your computer is almost complete. You must restart your computer for
the updates to take effect.
Do you want to restart your computer now?
then options for restart now and restart later. I cannot exit it without hitting restart later and it won't fall behind any other pages.
the icon in the toolbar associated with it is a yellow shield with an exclamation point.
I will not restart, will wait for your next instructions
Post by: guestolo on April 24, 2006, 06:22:26 PM
These will remain as long as SpySweeper allow them
If it's not totally disabled
If you get a prompt by Spysweeper allow any change
Please read your help files to disable it completely, they should be included with your version of SpySweeper
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab (http://\"http://anu.popcap.com/games/popcaploader_v6.cab\")
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Post back a fresh hijackthis log
The prompt you are getting is probably from Norton's AV or windows updates
Most like Norton's
Are you planning on returning your version of McAfee's
If not, I would uninstall Norton's completely and reinstall McAfee's
As you paid for the one year
Then make sure the firewall built into XP is turned on in your Control panel
If, like many others, you don't want to use the XP firewall
Post back and I can supply you with a link to a free firewall software
Post by: Heather on April 24, 2006, 09:47:58 PM
Post by: guestolo on April 24, 2006, 09:52:52 PM
Post by: Heather on April 24, 2006, 09:57:34 PM
Logfile of HijackThis v1.99.1
Scan saved at 7:56:27 PM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab (http://\"http://www.truedoc.com/activex/tdserver.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab (http://\"http://www.gamehouse.com/games/tumblebugs/axhost.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab (http://\"http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on April 24, 2006, 10:09:08 PM
That looks good
Can you do the following if everything is running better
Final Cleanup
We should flush all your restore points to ensure you don't restore any nasties that may be sitting idle
- Go to START>>RUN>>In the open field
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure
In addition: If you have Microsoft Office installed
Make sure you keep up on security updates
You will find a link at Windows Updates named "Office Family"
*Make sure your Firewall is enabled and running
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission
+ I would opt to hold onto Ewido
Ewido will become a Limited free version in a couple weeks, but it's still a great scanner to update and run once a month
You can go back and reenable the protections from SpySweeper
Go ahead and delete
SmitfraudFix.zip and folder
SmitRem.exe and folder
The files created by both
C:\Smitfiles.txt and rapport.txt
Hold onto Hijackthis and the backup folder
In a week or so, if your still happy with the way everything is running
Open Hijackthis>>Open Misc tools sections>>>Use the scroll bar and scroll down too
"Uninstall Hijackthis & Exit"
Then manually remove Hijackthis.exe and the backup folder
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Heather on April 24, 2006, 10:38:12 PM
I did the system restore with no problem
I agree that I would want to go ahead and use the firewall you suggest rather than the XP firewall, you said you have a link?
when I uninstall Norton, do I just do the uninstall wizard or is there a more in-depth un install
again THANK YOU, you are my hero
Post by: guestolo on April 25, 2006, 08:59:00 AM
If it won't uninstall completely
Try this page
http://service1.symantec.com/SUPPORT/tsgen...005033108162039 (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039\")
After it is uninstalled
Install McAfee's, if this is what your planning on using for an AV
Once you have that fully installed
Try this firewall, see if you like it
http://www.sunbelt-software.com/Kerio.cfm (http://\"http://www.sunbelt-software.com/Kerio.cfm\")
The full version will become a free limited version after 30 days
Once you have your new firewall installed, go ahead and make sure that the one built into XP is turned off
in the Windows control panel
Post by: Heather on April 25, 2006, 01:34:30 PM
Heather
Post by: guestolo on April 25, 2006, 08:51:37 PM
take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />