|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
11-30-2004, 08:57 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 9
OS: XP
|
Problems with puppyboyz and others..Please help Thanx
Hello,
i have still been having problems with puppyboyz and with rev0lt.net, my computer is just barely running, any help would be greatly appreciated. i have ran adaware se and also webroot spysweeper.... here is my hijackthis log: Logfile of HijackThis v1.98.2 Scan saved at 11:22:22 PM, on 11/30/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\syscfg32.exe C:\WINDOWS\System32\winstr32.exe C:\WINDOWS\System32\msmsgs.exe C:\WINDOWS\System32\scvhosting.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\rpcxWindows.exe C:\WINDOWS\System32\uzpdate2.exe C:\index.exe C:\WINDOWS\System32\mswin32.exe C:\dipset.exe C:\WINDOWS\System32\dlll32.exe C:\WINDOWS\System32\winnt.exe C:\WINDOWS\System32\scvhost32.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\WINDOWS\System32\msrpc32.exe C:\WINDOWS\System32\systemupdate.exe C:\WINDOWS\System32\tbctray.exe C:\PROGRA~1\MESSEN~1\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\?ttrib.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\msrpc32.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Dell\Solution Center\Service.exe C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe C:\Program Files\AOL Companion\companion.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe C:\Program Files\Spyware Doctor2\spydoctor.exe C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/d.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.liveaudiowrestling.com/wo/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cgi.ebay.com;cgi1.ebay.com;cgi2.ebay.com;cgi3.ebay.com;cgi6.ebay.com;contact.ebay.com N2 - Netscape 6: user_pref("browser.startup.homepage", "http://registration.iwon.com/reg/register.jsp"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL (file missing) O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager O4 - HKLM\..\Run: [QuickKaz] C:\PROGRA~1\COMMON~2\QUICKKAZ.EXE O4 - HKLM\..\Run: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKLM\..\Run: [A907864B] C:\WINDOWS\System32\fhwlyqqtuugtuc.exe O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bzmhzv.exe O4 - HKLM\..\Run: [Win32 exe file] winstr32.exe O4 - HKLM\..\Run: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\Run: [REEGRUN] C:\index.exe O4 - HKLM\..\Run: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\Run: [Printer] C:\dipset.exe O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe O4 - HKLM\..\Run: [starter] scvhosting.exe O4 - HKLM\..\Run: [Windows service] dlll32.exe O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe O4 - HKLM\..\Run: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\Run: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\RunServices: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunServices: [starter] scvhosting.exe O4 - HKLM\..\RunServices: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\RunServices: [Media service] system64.exe O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\RunServices: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunOnce: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunOnce: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunOnce: [starter] scvhosting.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [IM] C:\program files\instant messenger\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKCU\..\Run: [Win32 exe file] winstr32.exe O4 - HKCU\..\Run: [Mpig] C:\WINDOWS\System32\?ttrib.exe O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe O4 - HKCU\..\Run: [starter] scvhosting.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\RunOnce: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe O4 - HKCU\..\RunOnce: [Win32 exe file] winstr32.exe O4 - HKCU\..\RunOnce: [starter] scvhosting.exe O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Dell Service.lnk = C:\Program Files\Dell\Solution Center\Service.exe O4 - Global Startup: AGSatellite.lnk = C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe O4 - Global Startup: webdav.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU) O9 - Extra button: Searchalot - {7B985F41-2B47-44BC-8A9E-667962007DF2} - http://www.searchalot.com (file missing) (HKCU) O9 - Extra button: Downloads - {C17EAA05-02BF-4F65-9D9C-7E796CDA7806} - http://www.downloadalot.com (file missing) (HKCU) O9 - Extra button: Netnews - {EDD7E91B-F195-403E-BD6F-3C4E1734802C} - news:worldnet.help.new-users (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL= O15 - Trusted Zone: http://ad.searchsquire.com O15 - Trusted Zone: http://search.searchsquire.com O15 - Trusted Zone: http://update.searchsquire.com O15 - Trusted Zone: http://www.searchsquire.com O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100062718335 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {C3EA8E65-D0DD-486D-80DA-BCCEB4B63B4E} - http://cc.excite.com/pm3/x8pm_4_1,0,2,5.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB |
|
     
|
|
11-30-2004, 09:32 PM
|
#2 (permalink) |
|
Old Timer
Join Date: Sep 2003
Location: Northern Arizona
Posts: 7,957
OS: Vista Home Premium, SP 27
|
Too much here to manually do, unless we absolutely must.
I know you have run Ad-aware, but read the config instructions below and run it again. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D. Run Spybot and click on the Search for Updates button. Install any updates if they are available. Next click on the Check for Problems button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Then, please post a new HJT log and we'll see how they did. |
|
|
|
|
11-30-2004, 10:08 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 9
OS: XP
|
response
thanks for the reply, i have ran spybot and removed a few items, also i ran the vx2 cleaner in adware and said system was clean. so here is my hijackthis log again:
Logfile of HijackThis v1.98.2 Scan saved at 1  40 AM, on 12/1/2004Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\syscfg32.exe C:\WINDOWS\System32\winstr32.exe C:\WINDOWS\System32\msmsgs.exe C:\WINDOWS\System32\scvhosting.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\rpcxWindows.exe C:\WINDOWS\System32\uzpdate2.exe C:\index.exe C:\WINDOWS\System32\mswin32.exe C:\dipset.exe C:\WINDOWS\System32\dlll32.exe C:\WINDOWS\System32\winnt.exe C:\WINDOWS\System32\scvhost32.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\WINDOWS\System32\msrpc32.exe C:\WINDOWS\System32\systemupdate.exe C:\WINDOWS\System32\tbctray.exe C:\PROGRA~1\MESSEN~1\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\msrpc32.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Dell\Solution Center\Service.exe C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe C:\Program Files\Spyware Doctor2\spydoctor.exe C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe C:\PROGRA~1\INTERN~1\iexplore.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/d.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.liveaudiowrestling.com/wo/ N2 - Netscape 6: user_pref("browser.startup.homepage", "http://registration.iwon.com/reg/register.jsp"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL (file missing) O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager O4 - HKLM\..\Run: [QuickKaz] C:\PROGRA~1\COMMON~2\QUICKKAZ.EXE O4 - HKLM\..\Run: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKLM\..\Run: [A907864B] C:\WINDOWS\System32\fhwlyqqtuugtuc.exe O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bzmhzv.exe O4 - HKLM\..\Run: [Win32 exe file] winstr32.exe O4 - HKLM\..\Run: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\Run: [REEGRUN] C:\index.exe O4 - HKLM\..\Run: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\Run: [Printer] C:\dipset.exe O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe O4 - HKLM\..\Run: [starter] scvhosting.exe O4 - HKLM\..\Run: [Windows service] dlll32.exe O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe O4 - HKLM\..\Run: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\Run: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\RunServices: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunServices: [starter] scvhosting.exe O4 - HKLM\..\RunServices: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\RunServices: [Media service] system64.exe O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\RunServices: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunOnce: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunOnce: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunOnce: [starter] scvhosting.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [IM] C:\program files\instant messenger\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKCU\..\Run: [Win32 exe file] winstr32.exe O4 - HKCU\..\Run: [Mpig] C:\WINDOWS\System32\?ttrib.exe O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe O4 - HKCU\..\Run: [starter] scvhosting.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\RunOnce: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe O4 - HKCU\..\RunOnce: [Win32 exe file] winstr32.exe O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Dell Service.lnk = C:\Program Files\Dell\Solution Center\Service.exe O4 - Global Startup: AGSatellite.lnk = C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe O4 - Global Startup: webdav.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU) O9 - Extra button: Searchalot - {7B985F41-2B47-44BC-8A9E-667962007DF2} - http://www.searchalot.com (file missing) (HKCU) O9 - Extra button: Downloads - {C17EAA05-02BF-4F65-9D9C-7E796CDA7806} - http://www.downloadalot.com (file missing) (HKCU) O9 - Extra button: Netnews - {EDD7E91B-F195-403E-BD6F-3C4E1734802C} - news:worldnet.help.new-users (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL= O15 - Trusted Zone: http://ad.searchsquire.com O15 - Trusted Zone: http://search.searchsquire.com O15 - Trusted Zone: http://update.searchsquire.com O15 - Trusted Zone: http://www.searchsquire.com O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100062718335 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {C3EA8E65-D0DD-486D-80DA-BCCEB4B63B4E} - http://cc.excite.com/pm3/x8pm_4_1,0,2,5.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{867ED228-7E4F-4C47-B2C5-0A1EEDC4DF2B}: NameServer = 207.69.188.187 207.69.188.186 |
|
|
|
|
12-01-2004, 01:06 AM
|
#4 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,954
OS: Windows XP-Pro SP2
  |
Hi and Welcome to TSF
Please consider installing either SP1/SP2 service pack for XP!! Move hijackthis to the root of C:\ and NOT in a temp folder!! Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\System32\syscfg32.exe C:\WINDOWS\System32\winstr32.exe C:\WINDOWS\System32\msmsgs.exe C:\WINDOWS\System32\scvhosting.exe C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\rpcxWindows.exe C:\WINDOWS\System32\uzpdate2.exe C:\index.exe C:\WINDOWS\System32\mswin32.exe C:\dipset.exe C:\WINDOWS\System32\dlll32.exe C:\WINDOWS\System32\winnt.exe C:\WINDOWS\System32\scvhost32.exe C:\WINDOWS\System32\msrpc32.exe C:\WINDOWS\System32\systemupdate.exe C:\WINDOWS\System32\msrpc32.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.liveaudiowrestling.com/wo/ O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL (file missing) O4 - HKLM\..\Run: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKLM\..\Run: [A907864B] C:\WINDOWS\System32\fhwlyqqtuugtuc.exe O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bzmhzv.exe O4 - HKLM\..\Run: [Win32 exe file] winstr32.exe O4 - HKLM\..\Run: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\Run: [REEGRUN] C:\index.exe O4 - HKLM\..\Run: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\Run: [Printer] C:\dipset.exe O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe O4 - HKLM\..\Run: [starter] scvhosting.exe O4 - HKLM\..\Run: [Windows service] dlll32.exe O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe O4 - HKLM\..\Run: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\Run: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\Run: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\RunServices: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunServices: [starter] scvhosting.exe O4 - HKLM\..\RunServices: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\RunServices: [Media service] system64.exe O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\RunServices: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunOnce: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunOnce: [starter] scvhosting.exe O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKCU\..\Run: [Win32 exe file] winstr32.exe O4 - HKCU\..\Run: [Mpig] C:\WINDOWS\System32\?ttrib.exe O4 - HKCU\..\Run: [starter] scvhosting.exe O4 - HKCU\..\Run: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe O4 - HKCU\..\RunOnce: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] syscfg32.exe O4 - HKCU\..\RunOnce: [Win32 exe file] winstr32.exe O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe O4 - Global Startup: webdav.exe O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU) O9 - Extra button: Searchalot - {7B985F41-2B47-44BC-8A9E-667962007DF2} - http://www.searchalot.com (file missing) (HKCU) O9 - Extra button: Downloads - {C17EAA05-02BF-4F65-9D9C-7E796CDA7806} - http://www.downloadalot.com (file missing) (HKCU) O9 - Extra button: Netnews - {EDD7E91B-F195-403E-BD6F-3C4E1734802C} - news:worldnet.help.new-users (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL= O15 - Trusted Zone: http://ad.searchsquire.com O15 - Trusted Zone: http://search.searchsquire.com O15 - Trusted Zone: http://update.searchsquire.com O15 - Trusted Zone: http://www.searchsquire.com O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB O16 - DPF: {C3EA8E65-D0DD-486D-80DA-BCCEB4B63B4E} - http://cc.excite.com/pm3/x8pm_4_1,0,2,5.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/active...ol_v1-0-3-0.cab Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\System32\syscfg32.exe C:\WINDOWS\System32\winstr32.exe C:\WINDOWS\System32\msmsgs.exe C:\WINDOWS\System32\scvhosting.exe C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\rpcxWindows.exe C:\WINDOWS\System32\uzpdate2.exe C:\index.exe C:\WINDOWS\System32\mswin32.exe C:\dipset.exe C:\WINDOWS\System32\dlll32.exe C:\WINDOWS\System32\winnt.exe C:\WINDOWS\System32\scvhost32.exe C:\WINDOWS\System32\msrpc32.exe C:\WINDOWS\System32\systemupdate.exe C:\WINDOWS\System32\msrpc32.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe C:\WINDOWS\ELITES~1\ELITES~1.DLL C:\WINDOWS\System32\fhwlyqqtuugtuc.exe C:\WINDOWS\System32\bzmhzv.exe C:\WINDOWS\System32\NetConfs.exe C:\WINDOWS\System32\wkssvrs.exe C:\WINDOWS\System32\system64.exe C:\WINDOWS\System32\?ttrib.exe webdav.exe Make sure you delete the files ONLY in the directory listed as some of these are legit window file names! In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Navigate to the C:\Windows\Prefetch folder and delete all files in that folder Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell : 12-01-2004 at 01:26 AM. |
|
|
|
|
12-01-2004, 11:17 PM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 9
OS: XP
|
Still having problems with puppyboyz
thanks MicroBell, i did everyting you said to , and puppyboyz is still trying to open,got rid of a bunch of other crap though, so here is my new hijackthis log:
ogfile of HijackThis v1.98.2 Scan saved at 2:15:12 AM, on 12/2/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\WINDOWS\System32\tbctray.exe C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\dlll32.exe C:\PROGRA~1\MESSEN~1\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Dell\Solution Center\Service.exe C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe C:\Documents and Settings\All Users\Desktop\My Briefcase\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL% R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) N2 - Netscape 6: user_pref("browser.startup.homepage", "http://registration.iwon.com/reg/register.jsp"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager O4 - HKLM\..\Run: [QuickKaz] C:\PROGRA~1\COMMON~2\QUICKKAZ.EXE O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Windows service] dlll32.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\RunServices: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunServices: [starter] scvhosting.exe O4 - HKLM\..\RunServices: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\RunServices: [Media service] system64.exe O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\RunServices: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [IM] C:\program files\instant messenger\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\RunOnce: [windows sockets start up 32] DFUTFKZ.EXE O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Dell Service.lnk = C:\Program Files\Dell\Solution Center\Service.exe O4 - Global Startup: AGSatellite.lnk = C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe O4 - Global Startup: webdav.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL= O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100062718335 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{867ED228-7E4F-4C47-B2C5-0A1EEDC4DF2B}: NameServer = 207.69.188.187 207.69.188.186 Any help would be greatly appreciated. thanks a bunch -shawn |
|
|
|
|
12-02-2004, 12:07 AM
|
#6 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,954
OS: Windows XP-Pro SP2
|
FYI..Your NOT following instructions. I asked you to move hijackthis OUT of the temp folder and into it's own located on the root of C:\. Do NOT miss one of the files...otherwise this hijack will reoccure.
Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed. FriendFinder Messenger <--produces ADware and is a security risk Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\dlll32.exe C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL% R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [QuickKaz] C:\PROGRA~1\COMMON~2\QUICKKAZ.EXE O4 - HKLM\..\Run: [windows sockets start up 32] DFUTFKZ.EXE O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\RunServices: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunServices: [starter] scvhosting.exe O4 - HKLM\..\RunServices: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\RunServices: [Media service] system64.exe O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\RunServices: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\RunOnce: [windows sockets start up 32] DFUTFKZ.EXE O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe O4 - Global Startup: webdav.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present[O14 - IERESET.INF: START_PAGE_URL= Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\System32\DFUTFKZ.EXE C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\dlll32.exe C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe C:\PROGRA~1\COMMON~2\QUICKKAZ.EXE wkssvrs.exe syscfg32.exe rpcxWindows.exe winstr32.exe uzpdate2.exe mswin32.exe msmsgs.exe scvhosting.exe NetConfs.exe winnt.exe scvhost32.exe system64.exe webdav.exe msrpc32.exe systemupdate.exe <--location of these is likely System32 folder but look elsewere as well. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
12-02-2004, 12:41 AM
|
#7 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 9
OS: XP
|
puppyboyz..hijackthis log
thanks again MicroBell, i moved the hijackthis to its own folder, i forgot earlier.. anyways here is my new hijackthis log: Logfile of HijackThis v1.98.2 Scan saved at 3:35:15 AM, on 12/2/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\WINDOWS\System32\tbctray.exe C:\PROGRA~1\MESSEN~1\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Dell\Solution Center\Service.exe C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe C:\WINDOWS\System32\windowsfix.exe C:\hijackthisnew\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL% R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liveaudiowrestling.com/wo R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll N2 - Netscape 6: user_pref("browser.startup.homepage", "http://registration.iwon.com/reg/register.jsp"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\jaml6v17.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKLM\..\Run: [Windows Services] windowsfix.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Windows Secure Server] rpcxWindows.exe O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe O4 - HKLM\..\RunServices: [Microsoft Update Service] mswin32.exe O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe O4 - HKLM\..\RunServices: [starter] scvhosting.exe O4 - HKLM\..\RunServices: [Windows service] dlll32.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe O4 - HKLM\..\RunServices: [Media service] system64.exe O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe O4 - HKLM\..\RunServices: [Windows Update Service 2004/2005] systemupdate.exe O4 - HKLM\..\RunServices: [Windows Services] windowsfix.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [IM] C:\program files\instant messenger\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Dell Service.lnk = C:\Program Files\Dell\Solution Center\Service.exe O4 - Global Startup: AGSatellite.lnk = C:\Program Files\Audiogalaxy Satellite\AGSatellite.exe O4 - Global Startup: webdav.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 |
