Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Homepage in MSN lost to spyware!?!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-03-2007, 07:49 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Homepage in MSN lost to spyware!?!
Hello,
I lost my MSN home page by being redirected to Evidence Eliminator on 7/2/07. I tried to fix it by intalling some additional protection from KRC Anti Spyware tutorial link in Tetonbob's tutorial in Spyware section. Now my homepage is redirected to chronoclips.com after installing a few KRC suggestions (I know - stupid is as stupid does). Anyway I completed 4 of the 5 steps required in "The 5 Steps Before Posting a Log". The only one I could not complete was the Panda scan. Everytime I got to files scanned named C:\ntldr I was booted from the internet. Anyway - following is my HJT logs.

Deckard's System Scanner v20070611.50
Run by Mike on 2007-07-03 at 21:02:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2007-07-04 01:02:32 UTC - RP272 - Deckard's System Scanner Restore Point
26: 2007-07-03 01:15:56 UTC - RP271 - Restore Operation
25: 2007-07-02 00:55:15 UTC - RP270 - Removed Java 2 Runtime Environment, SE v1.4.2_03
24: 2007-07-02 00:54:51 UTC - RP269 - Removed J2SE Runtime Environment 5.0 Update 10
23: 2007-07-01 23:12:07 UTC - RP268 - Removed Tiger Woods PGA TOUR 2002


-- First Restore Point --
1: 2007-06-13 04:09:26 UTC - RP246 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:04:27 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Mike.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...Zg73so4heknQ==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...QbxjCX8bBWUo+B
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...ad/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151365818620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154567150945
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DD12B66-AFD1-46A1-B67D-EA5D62DECAC8}: NameServer = 192.168.1.1
O18 - Protocol: bw+0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ISODrive (ISO DVD/CD-ROM Device Driver) - c:\program files\ultraiso\drivers\isodrive.sys <Not Verified; EZB Systems, Inc.; ISODrive>
R2 cis1284 - c:\windows\system32\drivers\cis1284.sys <Not Verified; Canon Information Systems; Canon MultiPASS>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 7ByteIO - c:\program files\hot cpu tester pro 4 le\sysinfo.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 RetroWDSvc (Retrospect WD Service) - c:\progra~1\dantz\retros~1\wdsvc.exe <Not Verified; Dantz Development Corporation; Retrospect>

S2 Retrospect Helper - "c:\program files\dantz\retrospect\rthlpsvc.exe" <Not Verified; Dantz Development Corporation; Retrospect>


-- Scheduled Tasks -------------------------------------------------------------

2007-07-01 01:00:08 350 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-04-19 19:04:48 348 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2007-06-03 and 2007-07-03 -----------------------------

2007-07-03 20:39:00 0 d-------- C:\ie-spyad
2007-07-02 20:34:31 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-01 20:58:59 0 d-------- C:\Documents and Settings\Mike\.housecall6.6
2007-07-01 20:36:58 0 d-------- C:\Program Files\SpywareGuard
2007-06-27 20:40:29 0 d-------- C:\Documents and Settings\Mike\Application Data\CyberLink
2007-06-27 20:38:14 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-06-27 20:27:05 0 d-------- C:\Program Files\Cyberlink
2007-06-27 19:41:44 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-06-18 21:45:07 0 d-------- C:\Program Files\MSXML 6.0
2007-06-18 21:40:04 0 d-------- C:\e469f47be8f80a2705f0795f0e
2007-06-11 20:38:33 0 d-------- C:\Documents and Settings\Mike\Application Data\vlc
2007-06-11 20:17:09 0 d-------- C:\Program Files\Common Files\EZB Systems
2007-06-11 20:17:08 0 d-------- C:\Program Files\UltraISO
2007-06-04 21:10:20 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2007-06-04 19:33:34 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2007-06-04 19:33:34 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2007-06-04 19:33:34 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>


-- Find3M Report ---------------------------------------------------------------

2007-07-03 19:48:42 0 d-------- C:\Program Files\QuickTime
2007-07-03 19:48:41 0 d-------- C:\Program Files\MSN Messenger
2007-07-03 19:48:38 0 d-------- C:\Program Files\Digital Line Detect
2007-07-03 19:48:12 0 d-------- C:\Program Files\BAE
2007-07-03 18:45:09 0 d-------- C:\Documents and Settings\Mike\Application Data\MSN6
2007-07-03 00:34:19 0 d-------- C:\Documents and Settings\Mike\Application Data\Azureus
2007-07-02 21:39:38 0 d-------- C:\Program Files\WildTangent
2007-07-01 20:54:56 0 d-------- C:\Program Files\Java
2007-07-01 20:09:38 0 d-------- C:\Program Files\SpywareBlaster
2007-07-01 10:56:11 0 d-------- C:\Documents and Settings\Mike\Application Data\Vso
2007-06-28 19:26:28 0 d-------- C:\Program Files\GemMaster
2007-06-27 20:28:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-21 18:40:49 0 d-------- C:\Program Files\McAfee
2007-06-18 21:25:54 0 d-------- C:\Program Files\ESPNMotion
2007-06-11 21:02:27 0 d-------- C:\Program Files\VideoLAN
2007-06-04 19:33:40 34 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.log
2007-06-04 19:33:36 47360 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-06-04 19:33:36 1144 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.inf
2007-06-04 19:33:36 7887 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.cat
2007-05-29 21:49:59 0 d-------- C:\Program Files\Cucusoft
2007-05-29 21:46:30 0 d-------- C:\Program Files\Common Files\Download Manager
2007-05-23 21:23:55 0 d-------- C:\Documents and Settings\Mike\Application Data\Smart Recorder
2007-05-21 10:46:53 0 d-------- C:\Program Files\Apple Software Update
2007-05-15 20:27:01 0 d-------- C:\Documents and Settings\Mike\Application Data\DivX
2007-05-15 19:52:34 81920 --a------ C:\Documents and Settings\Mike\Application Data\ezpinst.exe
2007-05-15 19:52:30 0 d-------- C:\Program Files\vso
2007-05-12 21:07:27 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-12 21:07:27 88 -r-hs---- C:\WINDOWS\system32\71D04ABC27.sys
2007-05-08 21:09:57 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\System32\DLA\DLASHX_W.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll
{CA6319C0-31B7-401E-A518-A07C3DB8F777} c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"WD Button Manager"="WDBtnMgr.exe"
"VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"MpsOnn"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\MpsOnn.exe"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\verizon\\SMARTB~1\\MotiveSB.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative MediaSource Go"="\"C:\\Program Files\\Creative\\MediaSource\\Go\\CTCMSGo.exe\" /SCB"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwprovau\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f0ef068-bc8e-11db-9dae-001372d80dfe}]
Shell\AutoRun\command L:\AUTORUN.EXE

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc980d92-056c-11db-9c9c-806d6172696f}]
Shell\AutoRun\command E:\RunGame.exe


-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga.info #[Spamdexing]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net

15423 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-07-03 at 21:04:53 ---------

All/any help would be highly appreciated!!
Attached Files
File Type: txt extra.txt (28.3 KB, 3 views)
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-05-2007, 08:00 PM   #2 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
BUMP

Thanks,
mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-05-2007, 08:59 PM   #3 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Hi and welcome to TSF.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

---------------------------------------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt . I'll need that in your next reply

---------------------------------------------------------------------------------------------

Please post in your next reply:

C:\ComboFix.txt
Fresh HijackThis log
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 07-05-2007 at 09:00 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2007, 05:26 PM   #4 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hi forhockey - I look forward to working w/ you.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:11 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...QbxjCX8bBWUo+B
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...ad/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151365818620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154567150945
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DD12B66-AFD1-46A1-B67D-EA5D62DECAC8}: NameServer = 192.168.1.1
O18 - Protocol: bw+0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

ComboFix Log:

"Mike" - 2007-07-06 19:10:27 - ComboFix 07-07-07 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\logo.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\logoxp.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\maps.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\maps_over.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\travel.xml
C:\DOCUME~1\Mike\APPLIC~1.\macromedia\Flash Player\#SharedObjects\UR5MUJTB\www.broadcaster.com
C:\DOCUME~1\Mike\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Mike\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-06 19:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 21:02 <DIR> d-------- C:\Deckard
2007-07-03 20:39 <DIR> d-------- C:\ie-spyad
2007-07-02 20:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-01 20:58 <DIR> d-------- C:\DOCUME~1\Mike\.housecall6.6
2007-07-01 20:36 <DIR> d-------- C:\Program Files\SpywareGuard
2007-06-27 20:40 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\CyberLink
2007-06-27 20:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-06-27 20:27 <DIR> d-------- C:\Program Files\Cyberlink
2007-06-27 19:41 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-18 21:45 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-18 21:40 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-18 21:40 <DIR> d-------- C:\e469f47be8f80a2705f0795f0e
2007-06-11 20:38 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\vlc
2007-06-11 20:17 <DIR> d-------- C:\Program Files\UltraISO
2007-06-11 20:17 <DIR> d-------- C:\Program Files\Common Files\EZB Systems


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 23:08:18 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\MSN6
2007-07-06 04:48:13 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\Azureus
2007-07-03 23:48:42 -------- d-----w C:\Program Files\QuickTime
2007-07-03 23:48:41 -------- d-----w C:\Program Files\MSN Messenger
2007-07-03 23:48:38 -------- d-----w C:\Program Files\Digital Line Detect
2007-07-03 23:48:12 -------- d-----w C:\Program Files\BAE
2007-07-03 01:39:38 -------- d-----w C:\Program Files\WildTangent
2007-07-02 00:09:38 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-01 14:56:11 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\Vso
2007-06-28 23:26:28 -------- d-----w C:\Program Files\GemMaster
2007-06-28 00:28:37 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-21 22:40:49 -------- d-----w C:\Program Files\McAfee
2007-06-19 01:25:54 -------- d-----w C:\Program Files\ESPNMotion
2007-06-12 01:02:27 -------- d-----w C:\Program Files\VideoLAN
2007-06-04 23:33:36 87,608 ----a-w C:\DOCUME~1\Mike\APPLIC~1\inst.exe
2007-06-04 23:33:36 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-06-04 23:33:36 47,360 ----a-w C:\DOCUME~1\Mike\APPLIC~1\pcouffin.sys
2007-05-30 01:49:59 -------- d-----w C:\Program Files\Cucusoft
2007-05-30 01:46:30 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-05-24 01:23:55 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\Smart Recorder
2007-05-21 14:46:53 -------- d-----w C:\Program Files\Apple Software Update
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 00:27:01 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\DivX
2007-05-15 23:52:34 81,920 ----a-w C:\DOCUME~1\Mike\APPLIC~1\ezpinst.exe
2007-05-15 23:52:30 -------- d-----w C:\Program Files\vso
2007-05-13 01:07:27 88 --sh--r C:\WINDOWS\system32\71D04ABC27.sys
2007-05-13 01:07:27 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-09 01:09:57 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2005-09-08 05:20 110652 --a------ C:\WINDOWS\System32\DLA\DLASHX_W.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
2006-12-22 16:02 67136 --a------ c:\program files\mcafee\virusscan\scriptcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
2006-02-22 19:00 94208 --a------ c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"WD Button Manager"="WDBtnMgr.exe" [2006-07-24 20:16 C:\WINDOWS\system32\WDBtnMgr.exe]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-04 20:04]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 10:44]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-06-14 14:12]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 04:00 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2005-11-08 12:30 C:\WINDOWS\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"Motive SmartBridge"="C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2005-10-19 14:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-06-14 10:05]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-06-27 20:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f0ef068-bc8e-11db-9dae-001372d80dfe}]
AutoRun\command- L:\AUTORUN.EXE


Contents of the 'Scheduled Tasks' folder
2007-04-19 23:04:48 C:\WINDOWS\tasks\McDefragTask.job
2007-07-01 05:00:08 C:\WINDOWS\tasks\McQcTask.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 19:12:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 19:12:36
C:\ComboFix-quarantined-files.txt ... 2007-07-06 19:12

--- E O F ---
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2007, 06:39 PM   #5 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Hi mjman,

There isn't much left showing in your logs, but we can take a closer look.

---------------------------------------------------------------------------------------------

Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

P2P Software

P2P - I see you have P2P software Azureus installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

---------------------------------------------------------------------------------------------

The following are optional removals, but I recommend you remove them

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):
WildTangent
GemMaster



---------------------------------------------------------------------------------------------

Enter Safe Mode
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
  3. Instead of Windows loading as normal, a menu should appear
  4. Use the up arrow key to highlight Safe Mode and press Enter.
  5. Login with your usual account
  6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

Fix all of those Logitech O18 entries except the very first, and the last one listed.

Please remember to close all other windows, including browsers then click Fix checked.

---------------------------------------------------------------------------------------------

Delete the following File indicated in RED if it still exists.

C:\Documents and Settings\Mike\Application Data\ezpinst.exe




The following folders in BLUE are optional to delete. If you have choosen to uninstall them previously in my instructions, then go ahead and delete them.

C:\Program Files\WildTangent
C:\Program Files\GemMaster

---------------------------------------------------------------------------------------------

Look inside the following folder in BLUE and tell me what files you see?

C:\e469f47be8f80a2705f0795f0e

---------------------------------------------------------------------------------------------

Restart your computer in Normal Mode

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

How is your system behaving now?
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 07-06-2007 at 06:42 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2007, 09:49 PM   #6 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hello forhockey,

I completed all of the "safemode" fixes. FYI - I had already deleted WildTangent from Program File per 5 Steps to perform prior to posting thread - but it still appeared in safe mode. Log of current HJT and copy of .txt contained in folder "C:\e469f47be8f80a2705f0795f0e" follows. I once again tried to do PandaScan (in Safe Mode) and for the 4th or 5th time got booted from the internet when the scan reached file C:\ntldr. Panda always seems to get hung up and boots me.

Anyway - I still am being redirected to "chronoclips.com" when I start MSN browser. Having no problems starting w/ IE except using IE does not permit me to access "My Favorites" option.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:54 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...QbxjCX8bBWUo+B
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...ad/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151365818620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154567150945
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DD12B66-AFD1-46A1-B67D-EA5D62DECAC8}: NameServer = 192.168.1.1
O18 - Protocol: bw+0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe



Copy of .txt file contained in C:\e469f47be8f80a2705f0795f0e folder that you wanted me to look at:

=== Logging started: 6/18/2007 21:40:05 ===
Action start 21:40:05: INSTALL.
Action start 21:40:05: LaunchConditions.
Action ended 21:40:05: LaunchConditions. Return value 1.
Action start 21:40:05: FindRelatedProducts.
Action ended 21:40:05: FindRelatedProducts. Return value 1.
Action start 21:40:05: IsPendingRebootKey.
PendingFileRenameOperations contains:
\??\C:\DOCUME~1\Mike\LOCALS~1\Temp\A~NSISu_.exe~~\??\C:\Program Files\Learn2.com\StRunner\stuninst.exe~~\??\C:\Program Files\Learn2.com\StRunner~~\??\C:\Program Files\Learn2.com~~\??\C:\DOCUME~1\Mike\LOCALS~1\Temp\_iu14D2N.tmp~~\??\C:\DOCUME~1\Mike\LOCALS~1\Temp\GLB1A2B.EXE~~\??\C:\DOCUME~1\Mike\LOCALS~1\Temp\GLB1A2B.EXE~~\??\C:\WINDOWS\system32\SET101.tmp~!\??\C:\WINDOWS\system32\msvidctl.dll~\??\C:\WINDOWS\system32\SET102.tmp~!\??\C:\WINDOWS\system32\sbe.dll~\??\C:\WINDOWS\system32\SET104.tmp~!\??\C:\WINDOWS\system32\encdec.dll~\??\C:\WINDOWS\ehome\SET113.tmp~!\??\C:\WINDOWS\ehome\ehrecvr.exe~\??\C:\WINDOWS\system32\SET11D.tmp~!\??\C:\WINDOWS\system32\pnrpnsp.dll~\??\C:\WINDOWS\system32\SET11E.tmp~!\??\C:\WINDOWS\system32\p2psvc.dll~\??\C:\WINDOWS\system32\SET11F.tmp~!\??\C:\WINDOWS\system32\p2pnetsh.dll~\??\C:\WINDOWS\system32\SET120.tmp~!\??\C:\WINDOWS\system32\p2pgraph.dll~\??\C:\WINDOWS\system32\SET121.tmp~!\??\C:\WINDOWS\system32\p2pgasvc.dll~\??\C:\WINDOWS\system32\SET122.tmp~!\??\C:\WINDOWS\system32\p2p.dll~
No file in package listed in PendingFileRenameOperations
Action ended 21:40:05: IsPendingRebootKey. Return value 1.
Action start 21:40:05: AppSearch.
Action ended 21:40:05: AppSearch. Return value 0.
Action start 21:40:05: CCPSearch.
Action ended 21:40:05: CCPSearch. Return value 0.
Action start 21:40:05: RMCCPSearch.
Action ended 21:40:05: RMCCPSearch. Return value 0.
Action start 21:40:05: ValidateProductID.
Action ended 21:40:05: ValidateProductID. Return value 1.
Action start 21:40:05: CostInitialize.
Action ended 21:40:05: CostInitialize. Return value 1.
Action start 21:40:05: FileCost.
Action ended 21:40:05: FileCost. Return value 1.
Action start 21:40:05: IsolateComponents.
Action ended 21:40:05: IsolateComponents. Return value 0.
Action start 21:40:05: CostFinalize.
Action ended 21:40:05: CostFinalize. Return value 1.
Action start 21:40:05: CA_SetARPINSTALLLOCATION.
Action ended 21:40:05: CA_SetARPINSTALLLOCATION. Return value 1.
Action start 21:40:05: SetODBCFolders.
Action ended 21:40:05: SetODBCFolders. Return value 0.
Action start 21:40:05: MigrateFeatureStates.
Action ended 21:40:05: MigrateFeatureStates. Return value 0.
Action start 21:40:05: InstallValidate.
Action ended 21:40:05: InstallValidate. Return value 1.
Action start 21:40:05: InstallInitialize.
Action ended 21:40:05: InstallInitialize. Return value 1.
Action start 21:40:05: AllocateRegistrySpace.
Action ended 21:40:05: AllocateRegistrySpace. Return value 1.
Action start 21:40:05: ProcessComponents.
Action ended 21:40:05: ProcessComponents. Return value 1.
Action start 21:40:05: UnpublishComponents.
Action ended 21:40:05: UnpublishComponents. Return value 1.
Action start 21:40:05: MsiUnpublishAssemblies.
Action ended 21:40:05: MsiUnpublishAssemblies. Return value 1.
Action start 21:40:05: UnpublishFeatures.
Action ended 21:40:05: UnpublishFeatures. Return value 1.
Action start 21:40:05: StopServices.
Action ended 21:40:05: StopServices. Return value 1.
Action start 21:40:05: DeleteServices.
Action ended 21:40:05: DeleteServices. Return value 1.
Action start 21:40:05: UnregisterComPlus.
Action ended 21:40:05: UnregisterComPlus. Return value 0.
Action start 21:40:05: SelfUnregModules.
Action ended 21:40:05: SelfUnregModules. Return value 1.
Action start 21:40:05: UnregisterTypeLibraries.
Action ended 21:40:05: UnregisterTypeLibraries. Return value 1.
Action start 21:40:05: UnregisterFonts.
Action ended 21:40:05: UnregisterFonts. Return value 1.
Action start 21:40:05: RemoveRegistryValues.
Action ended 21:40:05: RemoveRegistryValues. Return value 1.
Action start 21:40:05: UnregisterClassInfo.
Action ended 21:40:05: UnregisterClassInfo. Return value 1.
Action start 21:40:05: UnregisterExtensionInfo.
Action ended 21:40:05: UnregisterExtensionInfo. Return value 1.
Action start 21:40:05: UnregisterProgIdInfo.
Action ended 21:40:05: UnregisterProgIdInfo. Return value 0.
Action start 21:40:05: UnregisterMIMEInfo.
Action ended 21:40:05: UnregisterMIMEInfo. Return value 0.
Action start 21:40:05: RemoveIniValues.
Action ended 21:40:05: RemoveIniValues. Return value 1.
Action start 21:40:05: RemoveShortcuts.
Action ended 21:40:05: RemoveShortcuts. Return value 0.
Action start 21:40:05: RemoveEnvironmentStrings.
Action ended 21:40:05: RemoveEnvironmentStrings. Return value 1.
Action start 21:40:05: RemoveDuplicateFiles.
Action ended 21:40:05: RemoveDuplicateFiles. Return value 1.
Action start 21:40:05: RemoveFiles.
Action ended 21:40:05: RemoveFiles. Return value 0.
Action start 21:40:05: RemoveFolders.
Action ended 21:40:05: RemoveFolders. Return value 0.
Action start 21:40:05: CreateFolders.
Action ended 21:40:05: CreateFolders. Return value 0.
Action start 21:40:05: MoveFiles.
Action ended 21:40:05: MoveFiles. Return value 1.
Action start 21:40:05: InstallFiles.
Action ended 21:40:05: InstallFiles. Return value 1.
Action start 21:40:05: PatchFiles.
Action ended 21:40:05: PatchFiles. Return value 0.
Action start 21:40:05: DuplicateFiles.
Action ended 21:40:05: DuplicateFiles. Return value 1.
Action start 21:40:05: BindImage.
Action ended 21:40:05: BindImage. Return value 1.
Action start 21:40:05: CreateShortcuts.
Action ended 21:40:05: CreateShortcuts. Return value 0.
Action start 21:40:05: RegisterClassInfo.
Action ended 21:40:05: RegisterClassInfo. Return value 1.
Action start 21:40:05: RegisterExtensionInfo.
Action ended 21:40:05: RegisterExtensionInfo. Return value 1.
Action start 21:40:05: RegisterProgIdInfo.
Action ended 21:40:05: RegisterProgIdInfo. Return value 0.
Action start 21:40:05: RegisterMIMEInfo.
Action ended 21:40:05: RegisterMIMEInfo. Return value 0.
Action start 21:40:05: WriteRegistryValues.
Action ended 21:40:05: WriteRegistryValues. Return value 1.
Action start 21:40:05: Wdsfpca_AddRefcountMsxml.86F857F6_A743_463D_B2FE_98CB5F727E09.
Action ended 21:40:05: Wdsfpca_AddRefcountMsxml.86F857F6_A743_463D_B2FE_98CB5F727E09. Return value 1.
Action start 21:40:05: WriteIniValues.
Action ended 21:40:05: WriteIniValues. Return value 1.
Action start 21:40:05: WriteEnvironmentStrings.
Action ended 21:40:05: WriteEnvironmentStrings. Return value 1.
Action start 21:40:05: RegisterFonts.
Action ended 21:40:05: RegisterFonts. Return value 1.
Action start 21:40:05: RegisterTypeLibraries.
Action ended 21:40:05: RegisterTypeLibraries. Return value 1.
Action start 21:40:05: SelfRegModules.
Action ended 21:40:05: SelfRegModules. Return value 1.
Action start 21:40:05: RegisterComPlus.
Action ended 21:40:05: RegisterComPlus. Return value 0.
Action start 21:40:05: InstallServices.
Action ended 21:40:05: InstallServices. Return value 1.
Action start 21:40:05: StartServices.
Action ended 21:40:05: StartServices. Return value 1.
Action start 21:40:05: RegisterUser.
Action ended 21:40:05: RegisterUser. Return value 1.
Action start 21:40:05: RegisterProduct.
Action ended 21:40:05: RegisterProduct. Return value 1.
Action start 21:40:05: PublishComponents.
Action ended 21:40:05: PublishComponents. Return value 1.
Action start 21:40:05: MsiPublishAssemblies.
Action ended 21:40:05: MsiPublishAssemblies. Return value 1.
Action start 21:40:05: PublishFeatures.
Action ended 21:40:05: PublishFeatures. Return value 1.
Action start 21:40:05: PublishProduct.
Action ended 21:40:05: PublishProduct. Return value 1.
Action start 21:40:05: InstallFinalize.
<Func Name='Wdsfpca_AddRefcountMsxml'>
<Func Name='RegAddRefcountMsxml'>
Finding the key CLSID\{2933BF90-7B36-11d2-B20E-00C04F983E60}\SideBySide; the result is: 0
RefCount has the existing value: 2
Version60RefCount will create a new value with 1
AddRefcountMsxml returns the code 0
<EndFunc Name='Wdsfpca_AddRefcountMsxml' Return='0' GetLastError='0'>
Action ended 21:40:07: InstallFinalize. Return value 1.
Action start 21:40:07: RemoveExistingProducts.
Action ended 21:40:07: RemoveExistingProducts. Return value 1.
Action ended 21:40:07: INSTALL. Return value 1.
Property(S): ProductCode = {5A710547-B58E-488B-828D-CA9A25A0533C}
Property(S): Manufacturer = Microsoft Corporation
Property(S): ProductVersion = 6.00.3890.0
Property(S): ProductLanguage = 1033
Property(S): UpgradeCode = {1B117BA7-5BC1-419E-820E-7D4F3F412C7B}
Property(S): ARPPRODUCTICON = ARPIco
Property(S): PIDTemplate = 53934<````=````=````=````=`````>@@@@@
Property(S): PROMPTROLLBACKCOST = P
Property(S): DiskPrompt = [1]
Property(S): INSTALLLEVEL = 100
Property(S): ALLUSERS = 1
Property(S): InstallMode = Typical
Property(S): ErrorIcon = ErrorIco
Property(S): SuccessIcon = SuccessIco
Property(S): WarningIcon = WarningIco
Property(S): LicenseIcon = LicenseIco
Property(S): SetupIcon = SetupIco
Property(S): CompleteIcon = CompleteIco
Property(S): CustomIcon = CustomIco
Property(S): RepairIcon = RepairIco
Property(S): RemoveIcon = RemoveIco
Property(S): ModifyIcon = ModifyIco
Property(S): NewIcon = NewIco
Property(S): UpIcon = UpIco
Property(S): DialogBanner = BannerBmp
Property(S): WelcomeBmp = WelcomeBmp
Property(S): ApplicationUsers = AllUsers
Property(S): Details = 0
Property(S): AgreeToLicense = No
Property(S): _IsMaintenance = Reinstall
Property(S): _IsMaintenance2 = Modify
Property(S): ReinstallModeText = omus
Property(S): Display_IsBitmapDlg = 1
Property(S): Interrupted = 0
Property(S): ProductID = none
Property(S): ISENABLEDWUSFINISHDIALOG = 1
Property(S): SQLServerText1 = 0
Property(S): SQLServerVersionText1 = 0
Property(S): SQLServerVersionText2 = 0
Property(S): SQLServerVersionText3 = 0
Property(S): CA_ERRORCOUNT = 0
Property(S): CA_WARNINGCOUNT = 0
Property(S): CA_SUCCESSCOUNT = 0
Property(S): MINIMUMOS = true
Property(S): UI_SHOWCOPYRIGHT = yes
Property(S): ShowUserRegistrationDlg = 1
Property(S): ErrorDialog = ErrorDlg
Property(S): DefaultUIFont = Tahoma8
Property(S): VersionNT = 501
Property(S): ARPHELPLINK = http://support.microsoft.com/kb/927977
Property(S): SecureCustomProperties = NEWERFOUND.72DE5BCD_5CB0_4335_B118_AB4C4DA70AE1;OLDERFOUND.72DE5BCD_5CB0_4335_B118_AB4C4DA70AE1;OLDERFOUND2.72DE5BCD_5CB0_4335_B118_AB4C4DA70AE1
Property(S): SourceDir = c:\e469f47be8f80a2705f0795f0e\
Property(S): TARGETDIR = c:\
Property(S): DesktopFolder = c:\Documents and Settings\All Users\Desktop\
Property(S): ButtonTextStyle = {\ButtonTextStyle}
Property(S): DlgTextStyle = {\DlgTextStyle}
Property(S): DlgTextStyleB = {\DlgTextStyleB}
Property(S): DlgTitleStyle = {\DlgTitleStyle}
Property(S): DlgTitleStyleB = {\DlgTitleStyleB}
Property(S): FixedStyle = {\FixedStyle}
Property(S): USERNAME = Mike
Property(S): DialogTitleSetup = Setup
Property(S): DialogTitlePatch = Patch
Property(S): DialogTitleUpgrade = Upgrade
Property(S): Text_ArrowLeft = <
Property(S): Text_ArrowRight = >
Property(S): ButtonText_Next = Next
Property(S): ButtonText_Next_Hot = &Next
Property(S): ButtonText_Cancel = Cancel
Property(S): ButtonText_Cancel_Hot = &Cancel
Property(S): ButtonText_Back = Back
Property(S): ButtonText_Back_Hot = &Back
Property(S): ButtonText_Finish = Finish
Property(S): ButtonText_Finish_Hot = &Finish
Property(S): ButtonText_Update = Update >
Property(S): ButtonText_Update_Hot = &Update >
Property(S): ButtonText_Ok = OK
Property(S): ButtonText_Ok_Hot = &OK
Property(S): ButtonText_Yes = Yes
Property(S): ButtonText_Yes_Hot = &Yes
Property(S): ButtonText_No = No
Property(S): ButtonText_No_Hot = &No
Property(S): ButtonText_Abort = Abort
Property(S): ButtonText_Abort_Hot = &Abort
Property(S): ButtonText_Ignore = Ignore
Property(S): ButtonText_Ignore_Hot = &Ignore
Property(S): ButtonText_Retry = Retry
Property(S): ButtonText_Retry_Hot = &Retry
Property(S): ButtonText_Change = Change...
Property(S): ButtonText_Change_Hot = &Change...
Property(S): ButtonText_Help = Help
Property(S): ButtonText_Help_Hot = &Help
Property(S): ButtonText_Install = Install
Property(S): ButtonText_Install_Hot = &Install
Property(S): ButtonText_Exit = Exit
Property(S): ButtonText_Exit_Hot = &Exit
Property(S): ButtonText_Remove = Remove
Property(S): ButtonText_Remove_Hot = &Remove
Property(S): ButtonText_Space = Space
Property(S): ButtonText_Space_Hot = &Space
Property(S): ButtonText_Browse = Browse...
Property(S): ButtonText_Browse_Hot = Bro&wse...
Property(S): ButtonText_DiskCost = Disk Cost...
Property(S): ButtonText_DiskCost_Hot = &Disk Cost...
Property(S): LabelText_Status = Status
Property(S): LabelText_SerialNumber = &Serial Number:
Property(S): LabelText_UserName = &User Name
Property(S): LabelText_PersonName = Name
Property(S): LabelText_PersonOrganization = Company
Property(S): LabelText_InstallTo = Install to
Property(S): LabelText_Modify = &Modify
Property(S): LabelText_Repair = Re&pair
Property(S): LabelText_Remove = &Remove
Property(S): LabelText_Complete = &Complete
Property(S): LabelText_Custom = Cu&stom
Property(S): LabelText_NetworkLocation = &Network location:
Property(S): LabelText_LookIn = &Look in
Property(S): LabelText_FolderName = &Folder name
Property(S): LabelText_FeatureDescription = Feature description
Property(S): LabelText_CopyFilesFrom = Copy Files from
Property(S): LabelText_InstallFor = Install this application for
Property(S): HeadText_AdminWelcome = Welcome to the Install Wizard for
Property(S): HeadText_InstallWelcome = Welcome to the Install Wizard for
Property(S): HeadText_WelcomePatch = Welcome to the Patch for
Property(S): HeadText_SetupWelcome = Welcome to the
Property(S): HeadText_SetupWelcome2 = Setup
Property(S): HeadText_ResumeInstall = Resuming the Install Wizard for
Property(S): HeadText_SetupInterrupted = Setup Interrupted
Property(S): HeadText_LicenseAgreement = License Agreement
Property(S): HeadText_FeatureSelection = Feature Selection
Property(S): HeadText_NetworkLocation = Network Location
Property(S): HeadText_ProgramMaintenance = Program Maintenance
Property(S): HeadText_DiskSpaceRequirements = Disk Space Requirements
Property(S): HeadText_FilesInUse = Files in Use
Property(S): HeadText_DatabaseFolder = Database Folder
Property(S): HeadText_RegistrationInformation = Registration Information
Property(S): HeadText_CompletingSetup = Completing the
Property(S): HeadText_CompletingSetup2 = Setup
Property(S): HeadText_InstallingProduct = Installing
Property(S): HeadText_UninstallProduct = Uninstalling
Property(S): HeadText_ChangeDestinationFolder = Change Current Destination Folder
Property(S): HeadText_ReadyInstall = Ready to Install the Program
Property(S): HeadText_ReadyRepair = Ready to Repair the Program
Property(S): HeadText_ReadyModify = Ready to Modify the Program
Property(S): HeadText_RemoveProgram = Remove the Program
Property(S): HeadText_OutOfDiskSpace = Out of Disk Space
Property(S): DescText_FilesInUse = Some files that need to be updated are currently in use.
Property(S): DescText_RegistrationInformation = The following information will personalize your installation.
Property(S): DescText_ServerImage = Setup will create a server image of
Property(S): DescText_ServerImage2 = at a specified network location. To continue, click Next.
Property(S): DescText_InstallModifyRemove = Setup helps you install, modify or remove
Property(S): DescText_InstallModifyRemove2 = . To continue, click Next.
Property(S): DescText_PatchInstall = The Install Wizard will install the Patch for
Property(S): DescText_PatchInstall2 = on your computer. To continue, click Update.
Property(S): DescText_WizardComplete = The Install Wizard will complete the installation of
Property(S): DescText_WizardComplete2 = on your computer. To continue, click Next.
Property(S): DescText_CompleteSuspended = The Install Wizard will complete the suspended installation of
Property(S): DescText_CompleteSuspended2 = on your computer. To continue, click Next.
Property(S): DescText_SuccessfulInstallation = Setup has installed
Property(S): DescText_SuccessfulInstallation2 = successfully. Click Finish to exit.
Property(S): DescText_SuccessfulRemove = Setup has removed
Property(S): DescText_SuccessfulRemove2 = successfully. Click Finish to exit.
Property(S): DescText_SuccessfulRepair = Setup has repaired
Property(S): DescText_SuccessfulRepair2 = successfully. Click Finish to exit.
Property(S): DescText_SuccessfulModify = Setup has modified
Property(S): DescText_SuccessfulModify2 = successfully. Click Finish to exit.
Property(S): DescText_SetupInterrupted = Setup was interrupted before
Property(S): DescText_SetupInterrupted2 = could be completely installed.
Property(S): DescText_PreparingSetup = Setup is preparing the Install Wizard which will guide you through the program setup process. Please wait.
Property(S): DescText_FeatureSelection = Select the program features you want installed.
Property(S): DescText_ProgramFeaturesInstall = The program features you selected are being installed.
Property(S): DescText_ProgramFeaturesUninstall = The program features you selected are being uninstalled.
Property(S): DescText_ReadLicense = Please read the following license agreement carefully.
Property(S): DescText_SpecifyNetworkLocation = Specify a network location for the server image of the product.
Property(S): DescText_BrowseDestination = Browse to the destination folder.
Property(S): DescText_ModifyRepairRemove = Repair or remove the program.
Property(S): DescText_ReadyInstallation = Setup is ready to begin installation.
Property(S): DescText_ChosenRemove = You have chosen to remove the program from your system.
Property(S): DescText_DiskSpaceRequirements = The disk space required for the installation of the selected features.
Property(S): DescText_DiskExceedsAvailable = Disk space required for the installation exceeds available disk space.
Property(S): Text_ReRunSetup = Your system has not been modified. To complete installation at another time, please run setup again.
Property(S): Text_FinishExit = Click Finish to exit Setup.
Property(S): Text_RestoreState = You can either keep any existing installed elements on your system to continue this installation at a later time or you can restore your system to its original state prior to the installation.
Property(S): Text_RestoreClick = Click Restore or Continue Later to exit Setup.
Property(S): Text_InstallWait = Please wait while the Install Wizard installs
Property(S): Text_InstallWait2 = . This may take several minutes.
Property(S): Text_UninstallWaitText = Please wait while the Install Wizard uninstalls
Property(S): Text_UninstallWaitText2 = . This may take several minutes.
Property(S): Text_UninstallWait = Please wait while the Install Wizard uninstalls
Property(S): Text_UninstallWait2 = . This may take several minutes.
Property(S): Text_ProgressDone = Progress done
Property(S): Text_Copyright = WARNING: This program is protected by copyright law and international treaties.
Property(S): Text_BeginInstallation = Click Install to begin the installation.
Property(S): Text_ReviewChange = If you want to review or change any of your installation settings, click Back. Click Cancel to exit Setup.
Property(S): Text_AlterFeatureInstall = Click an icon in the following list to change how a feature is installed.
Property(S): Text_ConfirmExit = The installation is not yet complete. Are you sure you want to exit?
Property(S): Text_FeatureSelectionDescription = This feature requires 4 MB on your hard drive.
Property(S): Text_EnterNetworkLocation = Enter the network location or click Change to browse to a location. Click Install to create a server image of
Property(S): Text_EnterNetworkLocation2 = at the specified network location or click Cancel to exit Setup.
Property(S): Text_SelectDifferentDrive = The highlighted volumes do not have enough disk space available for the currently selected features. You can remove files from the highlighted volumes, choose to install less features onto local drives, or select different destination drives.
Property(S): Text_RepairInstallationErrors = Repair installation errors in the program. This option fixes missing or corrupt files, shortcuts, and registry entries.
Property(S): Text_RemoveFromComputer = Remove
Property(S): Text_RemoveFromComputer2 = from your computer.
Property(S): Text_UsingFilesRetry = The following applications are using files that need to be updated by this setup. Close these applications and click Retry to continue.
Property(S): Text_ClickRemove = Click Remove to remove
Property(S): Text_ClickRemove2 = from your computer. After removal, this program will no longer be available for use.
Property(S): Text_ReviewChangeBack = If you want to review or change any settings, click Back.
Property(S): Text_AllUsers = &Anyone who uses this computer (all users)
Property(S): Text_OnlyMe = Only for &me ([USERNAME])
Property(S): Text_NotAcceptTerms = I &do not accept the terms in the license agreement
Property(S): Text_AcceptTerms = I &accept the terms in the license agreement
Property(S): Text_RegInfoNameAndOrg = Enter your name and the name of your organization in the fields below.
Property(S): Text_RegInfoOrg = Enter the name of your organization in the field below.
Property(S): Upgrade_Confirmation = A lower version of this product has been detected on your system. Would you like to upgrade your existing installation?
Property(S): AdminMessage = Setup requires user to be in the administrator group in order to continue the installation process. Setup is aborting as the current user is not in the administrator group.
Property(S): SupportedOSMessage = Installation of this product failed because it is not supported on this operating system. For information on supported configurations, see the product documentation.
Property(S): ShortCutText = MSXML 6.0
Property(S): DialogTitle = MSXML 6.0 Parser Setup (KB927977)
Property(S): ProductName = MSXML 6.0 Parser (KB927977)
Property(S): ShortName = MSXML 6.0 Parser (KB927977)
Property(S): WrongPackage = This MSXML6.0 package is not supported on the current processor type.
Property(S): DialogPatchTitle = MSXML 6.0 Parser Patch (KB927977)
Property(S): SystemFolder = c:\WINDOWS\system32\
Property(S): WdSfpCaMainModId.41646F16_4E6C_4E96_BF1B_772105414B9D = 86F857F6_A743_463D_B2FE_98CB5F727E09
Property(S): AppGuidRegKey = Wdsfpca_Uninstall_RegKey.86F857F6_A743_463D_B2FE_98CB5F727E09
Property(S): PackageCode = {7AB1985C-2542-4C9E-BC64-311ED12E04E9}
Property(S): ProductState = -1
Property(S): PackagecodeChanging = 1
Property(S): REBOOT = ReallySuppress
Property(S): CURRENTDIRECTORY = c:\e469f47be8f80a2705f0795f0e
Property(S): CLIENTUILEVEL = 3
Property(S): CLIENTPROCESSID = 804
Property(S): VersionDatabase = 300
Property(S): VersionMsi = 3.01
Property(S): WindowsBuild = 2600
Property(S): ServicePackLevel = 2
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 1
Property(S): WindowsFolder = c:\WINDOWS\
Property(S): WindowsVolume = c:\
Property(S): System16Folder = C:\WINDOWS\system\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\DOCUME~1\Mike\LOCALS~1\Temp\
Property(S): ProgramFilesFolder = C:\Program Files\
Property(S): CommonFilesFolder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Documents and Settings\Mike\Application Data\
Property(S): FavoritesFolder = C:\Documents and Settings\Mike\Favorites\
Property(S): NetHoodFolder = C:\Documents and Settings\Mike\NetHood\
Property(S): PersonalFolder = C:\Documents and Settings\Mike\My Documents\
Property(S): PrintHoodFolder = C:\Documents and Settings\Mike\PrintHood\
Property(S): RecentFolder = C:\Documents and Settings\Mike\Recent\
Property(S): SendToFolder = C:\Documents and Settings\Mike\SendTo\
Property(S): TemplateFolder = C:\Documents and Settings\All Users\Templates\
Property(S): CommonAppDataFolder = C:\Documents and Settings\All Users\Application Data\
Property(S): LocalAppDataFolder = C:\Documents and Settings\Mike\Local Settings\Application Data\
Property(S): MyPicturesFolder = C:\Documents and Settings\Mike\My Documents\My Pictures\
Property(S): AdminToolsFolder = C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\Documents and Settings\All Users\Start Menu\Programs\
Property(S): StartMenuFolder = C:\Documents and Settings\All Users\Start Menu\
Property(S): FontsFolder = C:\WINDOWS\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): Intel = 15
Property(S): PhysicalMemory = 2046
Property(S): VirtualMemory = 5396
Property(S): AdminUser = 1
Property(S): LogonUser = Mike
Property(S): UserSID = S-1-5-21-2125000252-4208680283-1592207793-1006
Property(S): UserLanguageID = 1033
Property(S): ComputerName = MIKEDELL2006
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 26
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 21:40:07
Property(S): Date = 6/18/2007
Property(S): MsiNetAssemblySupport = 2.0.50727.42
Property(S): MsiWin32AssemblySupport = 5.1.2600.3019
Property(S): RedirectedDllSupport = 2
Property(S): Privileged = 1
Property(S): DATABASE = c:\WINDOWS\Installer\b24f47.msi
Property(S): OriginalDatabase = c:\e469f47be8f80a2705f0795f0e\msxml6.msi
Property(S): UILevel = 2
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = c:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): SOURCEDIR = c:\e469f47be8f80a2705f0795f0e\
Property(S): SourcedirProduct = {5A710547-B58E-488B-828D-CA9A25A0533C}
Property(S): ProductToBeRegistered = 1
MSI (s) (C0:0C) [21:40:07:359]: Product: MSXML 6.0 Parser (KB927977) -- Installation completed successfully.

=== Logging stopped: 6/18/2007 21:40:07 ===

It is strange to see that "logging started on 6/18" part of this .txt file - but only because you asked me to describe what I saw.

Thanks - mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 11:24 AM   #7 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Hi mjman,

Let me see if I understood correctly. You've deleted the WildTangent folder, but it still exists in the add/remove programs list?

The .txt file located in C:\e469f47be8f80a2705f0795f0e is nothing to be worried about. Microsoft updates always generates these random folder names, which we are never really sure about. Next, we are going to try using another online scan, which I'll mention in my instructions later to come. Lastly, this round we will take care of the redirection to that website.

Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...QbxjCX8bBWUo+B

Please remember to close all other windows, including browsers then click Fix checked.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Please reply back with the following:

Question about WildTangent
Kaspersky Log
System Behaviour?
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 07-07-2007 at 11:25 AM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 02:54 PM   #8 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hi forhockey,

Thanks for all of the assistance to date!!

Wild Tangent - I deleted this before I sent my first HJT log and just was commenting that it was strange to see it listed in Safemode - which I deleted again during last round. As far as I am concerned it is not on my system.

Behavior - Home page in MSN still being redirected to Live Search page with following in browser bar:
http://sea.search.msn.com/pass/resul...0years%2520old
Basically Live Search page shows up that it could not find site requested.

Other than that my system seems to run OK - except yesterday local connection failed a few times while I was connected to Internet. I was able to correct this problem by going into Device Manager and troubleshoot.

Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 07, 2007 4:27:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/07/2007
Kaspersky Anti-Virus database records: 359465
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
M:\

Scan Statistics:
Total number of scanned objects: 67278
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:43:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{4A4DB7CA-FE2F-4B7D-A811-86B7C6C2D2DA}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D9CD674A-ADED-4FCC-A263-06026382F6AA}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3503088549_9764864_36976 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{7EFC1F08-665D-4785-89CA-888325472AB9}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\ipfilter.cache Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6722.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6723.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6724.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6725.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6726.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6727.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Azureus\tmp\AZU6728.tmp Object is locked skipped
C:\Documents and Settings\Mike\Application Data\MSN6\UserData\{CE1A2214-9A47-01C6-0200-000095CEC7D6}\favthumb.dbx Object is locked skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\MSN\db30\mjjjjester-msn-com.sdf Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\MSHist012007070720070708\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\fdr1528.fdr Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\hsperfdata_Mike\1128 Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\Perflib_Perfdata_ee4.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\sqlite_xfd6sKFhOVoMkXR Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\MVCJW1CT\favicon[5].ico Object is locked skipped
C:\Documents and Settings\Mike\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Azureus\plugins\safepeer\safepeer.log Object is locked skipped
C:\Program Files\Common Files\Verizon Online\ConnMgr\VZLog Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\BWDocMap.pht Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\BWInfopakMap.pht Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\L0000004.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Mike\Data\storydb.idx Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\calendar.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\market.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\market32.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\miadv.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\mibas.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\micd.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\printing.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\qos.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\themedef32.mar Object is locked skipped
C:\Program Files\MSN\MsnInstaller\install.mar Object is locked skipped
C:\Program Files\MSN\MsnInstaller\Resources\MSNClientBrand\en\us\vz02\9.50.433.0\brand.mar Object is locked skipped
C:\Program Files\verizon\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\verizon\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\verizon\SmartBridge\SmartBridge.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0024105.exe Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP274\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{35E13C73-0830-44D8-9A29-A81C1282B1FD}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_cNV7GvmGqAeEB9R Object is locked skipped
C:\WINDOWS\Temp\mcafee_UBtnXQSIuRJmF8K Object is locked skipped
C:\WINDOWS\Temp\mcmsc_1vgTbONJYSrbngY Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DYxRBLFCJ7cdWXv Object is locked skipped
C:\WINDOWS\Temp\mcmsc_eahslmi2FHaHZ0I Object is locked skipped
C:\WINDOWS\Temp\mcmsc_iysHojDngiAaCll Object is locked skipped
C:\WINDOWS\Temp\mcmsc_O6F5apzi01y3QnI Object is locked skipped
C:\WINDOWS\Temp\mcmsc_vJZkD78znR7J3kI Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Once again - Thanks for your assistance in helping me "clean up".

Thanks,
mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 04:03 PM   #9 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Hi mjman,

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 05:28 PM   #10 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hi forhockey,

Ran scan a few times but for some reason there is no "extra.txt" output. I had no problem when you asked me to run and post before. I checked the Deckard file everytime and it is not there. i deleted the Deckard.exe from before and reinstalled from your link and still no luck. Anyway - here is the main:

Deckard's System Scanner v20070611.50
Run by Mike on 2007-07-07 at 19:20:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:20:56 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Mike.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...ad/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151365818620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154567150945
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DD12B66-AFD1-46A1-B67D-EA5D62DECAC8}: NameServer = 192.168.1.1
O18 - Protocol: bw+0 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {10A4C1AD-3BA7-47AD-B600-6EB1F7A905A7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe


-- Files created between 2007-06-07 and 2007-07-07 -----------------------------

2007-07-07 15:24:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-07-07 15:24:18 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-03 20:39:00 0 d-------- C:\ie-spyad
2007-07-02 20:34:31 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-01 20:58:59 0 d-------- C:\Documents and Settings\Mike\.housecall6.6
2007-07-01 20:36:58 0 d-------- C:\Program Files\SpywareGuard
2007-06-27 20:40:29 0 d-------- C:\Documents and Settings\Mike\Application Data\CyberLink
2007-06-27 20:38:14 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-06-27 20:27:05 0 d-------- C:\Program Files\Cyberlink
2007-06-27 19:41:44 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-06-18 21:45:07 0 d-------- C:\Program Files\MSXML 6.0
2007-06-18 21:40:04 0 d-------- C:\e469f47be8f80a2705f0795f0e
2007-06-11 20:38:33 0 d-------- C:\Documents and Settings\Mike\Application Data\vlc
2007-06-11 20:17:09 0 d-------- C:\Program Files\Common Files\EZB Systems
2007-06-11 20:17:08 0 d-------- C:\Program Files\UltraISO


-- Find3M Report ---------------------------------------------------------------

2007-07-07 19:16:57 0 d-------- C:\Documents and Settings\Mike\Application Data\MSN6
2007-07-07 18:58:52 0 d-------- C:\Documents and Settings\Mike\Application Data\Azureus
2007-07-07 10:13:03 0 d-------- C:\Documents and Settings\Mike\Application Data\Vso
2007-07-06 22:39:18 0 d-------- C:\Program Files\QuickTime
2007-07-06 22:39:17 0 d-------- C:\Program Files\MSN Messenger
2007-07-06 22:39:12 0 d-------- C:\Program Files\Digital Line Detect
2007-07-03 19:48:12 0 d-------- C:\Program Files\BAE
2007-07-01 20:54:56 0 d-------- C:\Program Files\Java
2007-07-01 20:09:38 0 d-------- C:\Program Files\SpywareBlaster
2007-06-27 20:28:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-21 18:40:49 0 d-------- C:\Program Files\McAfee
2007-06-18 21:25:54 0 d-------- C:\Program Files\ESPNMotion
2007-06-11 21:02:27 0 d-------- C:\Program Files\VideoLAN
2007-06-04 19:33:40 34 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.log
2007-06-04 19:33:36 47360 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-06-04 19:33:36 1144 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.inf
2007-06-04 19:33:36 7887 --a------ C:\Documents and Settings\Mike\Application Data\pcouffin.cat
2007-05-29 21:49:59 0 d-------- C:\Program Files\Cucusoft
2007-05-29 21:46:30 0 d-------- C:\Program Files\Common Files\Download Manager
2007-05-23 21:23:55 0 d-------- C:\Documents and Settings\Mike\Application Data\Smart Recorder
2007-05-21 10:46:53 0 d-------- C:\Program Files\Apple Software Update
2007-05-15 20:27:01 0 d-------- C:\Documents and Settings\Mike\Application Data\DivX
2007-05-15 19:52:30 0 d-------- C:\Program Files\vso
2007-05-12 21:07:27 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-12 21:07:27 88 -r-hs---- C:\WINDOWS\system32\71D04ABC27.sys
2007-05-08 21:09:57 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\System32\DLA\DLASHX_W.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll
{CA6319C0-31B7-401E-A518-A07C3DB8F777} c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"WD Button Manager"="WDBtnMgr.exe"
"VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\verizon\\SMARTB~1\\MotiveSB.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative MediaSource Go"="\"C:\\Program Files\\Creative\\MediaSource\\Go\\CTCMSGo.exe\" /SCB"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwprovau\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f0ef068-bc8e-11db-9dae-001372d80dfe}]
Shell\AutoRun\command L:\AUTORUN.EXE


-- End of Deckard's System Scanner: finished at 2007-07-07 at 19:21:13 ---------

Thanks far everything so far!!
mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 05:40 PM   #11 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Sorry about that..

Please run Deckard's System Scanner again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config

Click on "Check All"
Then Click on "Uncheck All"
Under the "extra log" header, tick off "Add/Remove Programs"

Click Scan!

When finished, it shall produce extra.txt

Please post the extra.txt in your next reply.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 06:11 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Here it is!!
Attached Files
File Type: txt extra 7-7-07 803 pm.txt (23.5 KB, 2 views)
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2007, 10:52 PM   #13 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Hi mjman,

Lets try a few more things.


Clear IE6 cookies
  1. On the Internet Explorer 6 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
  2. On the General tab, in the Temporary Internet Files section, click the Delete Files button. This will delete all the files that are currently stored in your cache [that includes cookies too].
  3. Click OK, and then click OK again.



Flush DNS

1. Go to start -> run, then type cmd in the textbox and click OK.
2. Type ipconfig /flushdns, then hit the [enter] button on your keyboard. Note: There is a space between the "g" and "/"

-----------------------------------------------------------------------------------------------------------------------

There are two options you can choose from if the above instructions didn't fix the problem:

1) Try uninstalling the MSN Browser to see if it fixes the redirect problem, as your system should now be clean.

2) Using a different Browser to connect to the internet. I can give you a few good ones to choose from.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-08-2007, 04:07 PM   #14 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hi forhockey,

Once again - at the risk of sounding like a broken record - THANKS for all of the help.

I did as suggested on last post by you. I did both steps and still get redirected. I uninstalled and reinstalled MSN and am still being redirected in same manner as before.

I wanted to keep MSN as it gives me accessibility to all of the items in my "Favorites" folder I have accumulated over the past few years. If I could find a quick way to have access "Favorites" using another browser then I will switch. If you know the answer to this then let me know. Additionally I would like to take you up on your offer on suggesting other browsers.

Thanks,
mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-08-2007, 10:48 PM   #15 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
Hi mjman,

You are in luck, as we will be able to transfer your favorites over to another browser.

----------------------------------------------------------------------------------------------

Please download the following file:

http://www.mainsoft.fr/Files/MsnFav.zip

----------------------------------------------------------------------------------------------

Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

----------------------------------------------------------------------------------------------

1. Extract MsnFav.zip to a folder on your desktop (eg. MsnFav)
2. Copy the following file in RED to the folder on your desktop (eg. MsnFav)

C:\Documents and Settings\Mike\Application Data\MSN6\UserData\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}\Favorites.xml

Note: The x's will be random numbers and letters.

3. Double-click msnfav.vbs
- You have now generated a file called bookmark.htm, which is in the
same folder
4. Open Internet Explorer
5. Go to File -> Import and Export
- Click Next
- Select Import Favorites
- Select "Import from a file or address"
- Click Browse button
- Navigate to bookmark.htm, which was created recently in step 3
- Select the file and click Save button
- Keep clicking next to finish the steps, then click Finished.

***** Check that all your favorites were imported into Internet Explorer. *****

Here are some browsers I recommend, as they provide more security when surfing the web, but doesn't work with the odd site, which is why Internet Explorer is a good backup to have.

Both browsers give you the option to import your favorites/bookmarks from Internet Explorer. Let me know if you run into any problems during my instructions, and if you need help importing favorites if you choose Opera?
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-09-2007, 04:50 PM   #16 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hi forhockey,

I will give it a shot. Thanks for all of the help and advice on this posting - it is and was really appreciated!!

mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-09-2007, 06:32 PM   #17 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 21
OS: XP Media Center Home Edition


Re: Homepage in MSN lost to spyware!?!
Hi forhockey,

After I sent earlier message I went to Explorer and opened MSN then hit MyMSN and signed in. I noticed at top of page "Home" button. When I hovered over it a downward arrow appeared and I clicked the arrow. I was presented options including "Set the Home Page". I got out of "Home" option and copied the info in the browser bar. I went back and signed into MSN as normal which of course redirected me to the Lve Search page. I went to Home option, clicked Set the Home Page, pasted info from Explorer browser bar and clicked OK. Went to Home button and pressed it. It redirected me to 20%xxxxxxxxxxxxxxxxxx w/ the x's representing msn and the 20% was familiar as well but I was closer since the results of the Live Search now meant something. Deciding that Live Search was somehow "bent" I went to Favorites and went to a safe web page. From that page I went thru the same Home, Set the Home Page routine. Clicked OK and hit Home button and was redirected to my "real" home page. I quickly exited MSN to see if this change would be saved. Signed back on as normal and my real home page popped up again. Then I exited and did a restart of computer to additionally save the change. When I signed in after restart my real home page popped up. All of the addition efforts after resetting my Home Page were probably overkill but I did not want to be surprised at a later time that the reset did not work.
Anyway I wanted to contact you ASAP and let you know what I found as a possible future fix for other folks who contact you. Thanks to all of your efforts in cleaning my machine I feel that my home page is mine again. I know you sent me additional info on other browsers but I guess I have gotten comfortable w/ MSN and the incident that led me to your forum was the only time I had a similar problem.
Highest Regards,
mjman
mjman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-09-2007, 08:13 PM   #18 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,930
OS: Windows 7 Ultimate


Re: Homepage in MSN lost to spyware!?!
You're welcome mjman, and thanks for following up with the fix. Seems there is something new to learn everyday . Maybe one day you will convert to another web browser


It wouldn't be the same without listing my clean speech.

Well done, your logs are clean! There are just a few more things I would like you to do.

Reset Hidden/System Files and Folders
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Select the Advanced settings box option.
  • Select the Hidden files Folders.
  • Deselect the Show all files option.
  • Click Yes to confirm.
  • Click OK.

Reset System Restore

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Clear IE6 cookies
  1. On the Internet Explorer 6 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
  2. On the General tab, in the Temporary Internet Files section, click the Delete Files button. This will delete all the files that are currently stored in your cache [that includes cookies too].
  3. Click OK, and then click OK again.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
  • SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
  • IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
  • SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls


Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
Please respond to this thread one more time so we can mark this thread as resolved.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:48 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85