Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page HJT Log
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 02-06-2008, 09:02 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


HJT Log
Ok I wasn't able to do step 1 because i can't click on anything in my control(add/remove programs) panel and if i do nothing happens. I did step 2 it's in the attachments, the scan found 4 virus', 1697 things of spyware, 3 hack tools, and 2 suspicious files. Step 3 and 4 i can't do because if i download something my computer turns it into a .txt file instead of a .exe file and says windows cannot open the program it wants to know what program created it so i cannot downloa the dss thats needed. If I need to anything else just tell me. THANKS A BUNCH
Attached Files
File Type: txt Activescan.txt (613.5 KB, 6 views)
Last edited by HyperLight; 02-06-2008 at 09:32 PM.
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-10-2008, 01:28 AM   #2 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
It's been 72 hours so.... BUMP
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-14-2008, 02:46 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
It's been another 72 hours can anyone help me??????
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-14-2008, 09:12 PM   #4 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Sorry for the delay, as we are extremely busy as you may have noticed. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

First, I'd like to get some samples from the infected files from your system before we begin.

Please submit each file to: http://www.bleepingcomputer.com/subm...php?channel=28

Only copy one line at a time from the list of files to be submitted below and paste it in the "Browse to the file you want to submit:" textbox.

In the comments box below.. Please type "forhockey"

Click "Send File"


List of files to be submitted:

c:\windows\system32\adsmsext.exe
C:\WINDOWS\system32\ZH8iyJm.exe
C:\WINDOWS\system32\a3d65227.exe
C:\WINDOWS\system32\fast.exe
C:\WINDOWS\system32\k.exe
C:\WINDOWS\Temp\M3Z9HbH2.exe
C:\WINDOWS\Temp\setup4.exe

---------------------------------------------

Please let me know once you've submitted all of the files.

Thanks.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 02-14-2008 at 09:17 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-15-2008, 12:42 AM   #5 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Quote:
Originally Posted by forhockey View Post
Hi HyperLight,

Sorry for the delay, as we are extremely busy as you may have noticed. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

First, I'd like to get some samples from the infected files from your system before we begin.

Please submit each file to: http://www.bleepingcomputer.com/subm...php?channel=28

Only copy one line at a time from the list of files to be submitted below and paste it in the "Browse to the file you want to submit:" textbox.

In the comments box below.. Please type "forhockey"

Click "Send File"


List of files to be submitted:

c:\windows\system32\adsmsext.exe
C:\WINDOWS\system32\ZH8iyJm.exe
C:\WINDOWS\system32\a3d65227.exe
C:\WINDOWS\system32\fast.exe
C:\WINDOWS\system32\k.exe
C:\WINDOWS\Temp\M3Z9HbH2.exe
C:\WINDOWS\Temp\setup4.exe

---------------------------------------------

Please let me know once you've submitted all of the files.

Thanks.
Ok ForHockey, I've submitted everything u asked for.. thanks for your help if i need to do anything further just ask
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-15-2008, 04:51 PM   #6 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Thanks for submitting those files. We are going to have to go with what we see and try and solve this problem.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------

Enter Safe Mode
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
  3. Instead of Windows loading as normal, a menu should appear
  4. Use the up arrow key to highlight Safe Mode and press Enter.
  5. Login with your usual account
  6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

c:\windows\system32\adsmsext.exe
c:\windows\system32\ciodm957.exe
c:\windows\system32\adsmsext.exe
c:\windows\ss3unstl.exe
C:\Documents and Settings\cameron\Shared\gimp Bittorrent downloader.zip
C:\Documents and Settings\max\Desktop\Setup(2).exe
C:\Documents and Settings\max\Desktop\Setup.exe
C:\WINDOWS\system32\a3d65227.exe
C:\WINDOWS\system32\cdosys51.exe
C:\WINDOWS\system32\ciadmin7.exe
C:\WINDOWS\system32\cmprops6.exe
C:\WINDOWS\system32\fast.exe
C:\WINDOWS\system32\hufbsty.dll
C:\WINDOWS\system32\k.exe
C:\WINDOWS\system32\ZH8iyJm.exe
C:\WINDOWS\Temp\F9pnZeVl.exe
C:\WINDOWS\Temp\M3Z9HbH2.exe
C:\WINDOWS\Temp\nF7j596R.exe
C:\WINDOWS\Temp\setup4.exe
C:\WINDOWS\Temp\Yec6kVP8.exe

c:\Program Files\memorywatcher
c:\Program Files\common files\wintools
C:\Program Files\Screensavers.com


--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------

You may experience some error messages when you startup due to some of the infected files you've removed.


Lets see if executables still change into text files.

Please download HijackThis. This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


Also, please update me on how your system is behaving.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 02-15-2008 at 04:53 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-15-2008, 05:59 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Quote:
Originally Posted by forhockey View Post
Hi HyperLight,

Thanks for submitting those files. We are going to have to go with what we see and try and solve this problem.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------

Enter Safe Mode
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
  3. Instead of Windows loading as normal, a menu should appear
  4. Use the up arrow key to highlight Safe Mode and press Enter.
  5. Login with your usual account
  6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

c:\windows\system32\adsmsext.exe
c:\windows\system32\ciodm957.exe
c:\windows\system32\adsmsext.exe
c:\windows\ss3unstl.exe
C:\Documents and Settings\cameron\Shared\gimp Bittorrent downloader.zip
C:\Documents and Settings\max\Desktop\Setup(2).exe
C:\Documents and Settings\max\Desktop\Setup.exe
C:\WINDOWS\system32\a3d65227.exe
C:\WINDOWS\system32\cdosys51.exe
C:\WINDOWS\system32\ciadmin7.exe
C:\WINDOWS\system32\cmprops6.exe
C:\WINDOWS\system32\fast.exe
C:\WINDOWS\system32\hufbsty.dll
C:\WINDOWS\system32\k.exe
C:\WINDOWS\system32\ZH8iyJm.exe
C:\WINDOWS\Temp\F9pnZeVl.exe
C:\WINDOWS\Temp\M3Z9HbH2.exe
C:\WINDOWS\Temp\nF7j596R.exe
C:\WINDOWS\Temp\setup4.exe
C:\WINDOWS\Temp\Yec6kVP8.exe

c:\Program Files\memorywatcher
c:\Program Files\common files\wintools
C:\Program Files\Screensavers.com


--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------

You may experience some error messages when you startup due to some of the infected files you've removed.


Lets see if executables still change into text files.

Please download HijackThis. This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


Also, please update me on how your system is behaving.
Ok forhockey i deleted everything u asked for, except me/ my computer couldn't find c:\windows\system32\adsmsext.exe or C:\WINDOWS\system32\fast.exe there was a C:\WINDOWS\system32\fastopen.exe i wasn't sure if that was it so i didn't delete it. I tryed downloading hijack this and it still turns it into a .txt file, i can't open it or anything and when i click on properties it says it's a .txt file not a .exe .

My System is behaving ok dowloading a bit slower but other than that i just can't download anything because it turns it into a .txt file and i can't open control panel ( or anything in it / adminstration tools can't mess with user accounts or anything
Last edited by HyperLight; 02-15-2008 at 06:26 PM.
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 12:10 PM   #8 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

There is no need to quote everything I've said. It takes up more space in your reply.

---------------------------------------------------


Please download the following file: http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

**Save it to your desktop**


Right click on xp_exe_fix.zip and click "extract here"

Double click on the xp_exe_fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Next, try and do my previous instructions for HiJackThis.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 07:48 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Sorry about that Hockey ummmm that worked so here's the results of the scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:08 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\MotorolaDAP.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O2 - BHO: (no name) - @$¬WARE - (no file)
O2 - BHO: (no name) - er - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - `=¬07962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - =¬497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - ¨¬¨¬4-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - °>¬WARE - (no file)
O2 - BHO: (no name) - ˆ$¬4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [f85403d8c76b] C:\WINDOWS\system32\ciodm957.exe
O4 - HKLM\..\Run: [89916776bf62] C:\WINDOWS\system32\adsmsext.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107110660\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107110660\ee\SSCRun.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?ead4f59390bf4b2f93585fb48438ba1d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?ead4f59390bf4b2f93585fb48438ba1d
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://216.212.195.165/plugin/h263ctrl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - Unknown owner - C:\Program Files\Common Files\AOL\1107110660\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11665 bytes
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 10:52 PM   #10 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Not a problem.... Now that we are making some progress, I'd like to bring in DSS.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 10:28 AM   #11 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Ok ran into a little problem.. I can run DSS but it gets hung up on backing up registry hives (expected i suppose) but then it continues to cleaning up temporary files (its on there for a split second) and i get an error message saying "dss.exe has encountered a problem and needs to close" I've tried it over and over (7 or 8 times at least)
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 11:29 AM   #12 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Please run Deckard's System Scanner again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config
Click on "Check All"
Uncheck "Temp Cleanup"

Click Scan!

Please post the results from main.txt and attach the extra.txt log.

Thanks
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 03:12 PM   #13 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Deckard's System Scanner v20071014.68
Run by anthony mckenzie on 2008-02-17 17:04:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
86: 2008-02-17 17:10:30 UTC - RP814 - Deckard's System Scanner Restore Point
85: 2008-02-17 07:17:30 UTC - RP813 - Software Distribution Service 3.0
84: 2008-02-17 07:14:05 UTC - RP812 - Software Distribution Service 3.0
83: 2008-02-16 11:59:58 UTC - RP811 - System Checkpoint
82: 2008-02-15 08:59:50 UTC - RP810 - System Checkpoint


-- First Restore Point --
1: 2007-11-19 22:53:01 UTC - RP729 - System Checkpoint


Backed up registry hives.



-- HijackThis (run as anthony mckenzie.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 506 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\MotorolaDAP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AMERIC~1.0A\waol.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\AOL\1107110660\ee\aolsoftware.exe
C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
c:\program files\common files\aol\1107110660\ee\anotify.exe
C:\Program Files\Common Files\AOL\1107110660\ee\aolsoftware.exe
C:\Documents and Settings\anthony mckenzie\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\anthony mckenzie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - @$¬WARE - (no file)
O2 - BHO: (no name) - er - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - `=¬07962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - =¬497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - ¨¬¨¬4-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - °>¬WARE - (no file)
O2 - BHO: (no name) - ˆ$¬4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [f85403d8c76b] C:\WINDOWS\system32\ciodm957.exe
O4 - HKLM\..\Run: [89916776bf62] C:\WINDOWS\system32\adsmsext.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107110660\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107110660\ee\SSCRun.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [JBqERRetR] dxttract.exe
O4 - HKCU\..\Run: [Bhflcyx] C:\WINDOWS\system32\fast.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-1275210071-764733703-839522115-1012\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'cameron')
O4 - HKUS\S-1-5-21-1275210071-764733703-839522115-1012\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'cameron')
O4 - HKUS\S-1-5-21-1275210071-764733703-839522115-1012\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'cameron')
O4 - HKUS\S-1-5-21-1275210071-764733703-839522115-1012\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'cameron')
O4 - HKUS\S-1-5-21-1275210071-764733703-839522115-1012\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'cameron')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm118YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7c2a160b449f470084314d828b259c78
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7c2a160b449f470084314d828b259c78
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://216.212.195.165/plugin/h263ctrl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - Unknown owner - C:\Program Files\Common Files\AOL\1107110660\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12651 bytes

-- File Associations -----------------------------------------------------------

.cmd - .txt - DefaultIcon - unable to read value
.cmd - .txt - shell\open\command - unable to read value
.cmd - .txt - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 YPN30F - c:\windows\system32\drivers\ypn30f.sys <Not Verified; Samsung Electronics Co., LTD.; Samsung YP-N30>
R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 CA561 (Micro Webcam) - c:\windows\system32\drivers\spca561.sys <Not Verified; SP; Microsoft(R) Windows NT(R) Operating System>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S4 spcstb - c:\windows\system32\drivers\spcstb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 MotorolaDAP (Motorola Digital Audio Player Manager) - c:\windows\system32\motoroladap.exe <Not Verified; Motorola Inc.; Motorola Digital Audio Player Manager>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 aolavupd (AOL Antivirus Update Service) - "c:\program files\common files\aol\1107110660\ee\services\sscfirewallplugin\ver1_205_1_1\aolavupd.exe" (file missing)
S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Westell WireSpeed Dual Connect Modem
Device ID: USB\VID_06A9&PID_0005\07B404386397
Manufacturer:
Name: Westell WireSpeed Dual Connect Modem
PNP Device ID: USB\VID_06A9&PID_0005\07B404386397
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 8088)
2004-11-19 12:54:26 77824 --a------ C:\Program Files\Common Files\aolshare\aolshcpy.dll <Not Verified; America Online Inc.; aolshcpy Module>


-- Scheduled Tasks -------------------------------------------------------------

2008-02-17 1700 512 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-kelly mckenzie).job
2008-02-17 17:05:36 388 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5CBB1D54-07E4-4600-9333-DD9AF7B3DB96}.job
2008-02-17 17:05:36 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-kids).job
2008-02-17 17:05:36 516 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-anthony mckenzie).job
2008-02-17 17:04:00 504 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-Visitors !).job
2008-02-17 17:04:00 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-Kristi).job
2008-02-17 17:04:00 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-ashley).job
2008-02-17 17:03:00 498 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-cameron).job
2008-02-17 16:52:00 258 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-02-17 09:00:00 216 --a------ C:\WINDOWS\Tasks\rundll32.job
2008-02-17 09:00:00 166 --a------ C:\WINDOWS\Tasks\New Task.job


-- Files created between 2008-01-17 and 2008-02-17 -----------------------------

2008-02-17 02:08:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Viewpoint
2008-02-16 21:45:29 0 d-------- C:\Program Files\Trend Micro
2008-02-06 16:58:58 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-06 16:40:52 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 15:07:57 0 d-------- C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-06 01:07:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-06 01:07:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-06 01:07:32 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-06 01:07:32 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-06 01:07:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-06 01:07:32 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-06 01:07:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-06 01:07:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-06 01:07:31 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-02-06 21:51:10 0 d-------- C:\Program Files\Zune
2008-02-06 21:50:27 0 d-------- C:\Program Files\Windows Live Toolbar
2008-02-06 21:45:21 0 d-------- C:\Program Files\MSN Messenger
2008-02-06 21:38:24 0 d-------- C:\Program Files\Common Files\aolshare


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [08/27/2003 10:00 AM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [08/21/2003 05:10 PM]
"f85403d8c76b"="C:\WINDOWS\system32\ciodm957.exe" []
"89916776bf62"="C:\WINDOWS\system32\adsmsext.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1107110660\ee\AOLSoftware.exe" [09/25/2006 07:52 PM]
"OASClnt"="C:\Program Files\mcafee.com\antivirus\oasclnt.exe" [08/18/2005 03:57 PM]
"EmailScan"="C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" [10/19/2005 11:13 AM]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [03/07/2006 03:05 PM]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [08/08/2003 05:02 PM]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [08/17/2003 08:50 PM]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" []
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe" [11/20/2006 03:42 PM]
"sscRun"="C:\Program Files\Common Files\AOL\1107110660\ee\SSCRun.exe" [11/20/2006 03:42 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/07/2004 08:47 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 02:56 AM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [11/15/2007 09:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JBqERRetR"="dxttract.exe" []
"Bhflcyx"="C:\WINDOWS\system32\fast.exe" [01/11/2005 09:11 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"AOL Fast Start"="C:\PROGRA~1\AMERIC~1.0A\AOL.exe" [07/12/2005 05:17 AM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 11:54 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\anthony mckenzie\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [8/8/2004 12:15:03 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98245f417131]
C:\WINDOWS\system32\a3d65227.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A9Vy6]
C:\documents and settings\anthony mckenzie\local settings\temp\A9Vy6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]
"C:\Program Files\AIM\AIM Pro\aimpro.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1107110660\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DK]
C:\documents and settings\anthony mckenzie\local settings\temp\DK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESUYY]
C:\documents and settings\anthony mckenzie\local settings\temp\ESUYY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jcAAtqfLJ]
C:\documents and settings\anthony mckenzie\local settings\temp\jcAAtqfLJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k]
C:\windows\system32\k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lT]
C:\documents and settings\anthony mckenzie\local settings\temp\lT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mVKM.exe]
c:\windows\system32\mVKM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Otdr5A3dZ]
C:\documents and settings\anthony mckenzie\local settings\temp\Otdr5A3dZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1107110660\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\W5S]
C:\documents and settings\anthony mckenzie\local settings\temp\W5S.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yG8D]
C:\documents and settings\anthony mckenzie\local settings\temp\yG8D.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZH8iyJm]
C:\windows\system32\ZH8iyJm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"




-- End of Deckard's System Scanner: finished at 2008-02-17 17:08:38 ------------
Attached Files
File Type: txt extra.txt (25.7 KB, 3 views)
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-18-2008, 11:53 AM   #14 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Code:
       REGEDIT4
       
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98245f417131]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A9Vy6]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESUYY]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jcAAtqfLJ]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lT]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mVKM.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Otdr5A3dZ]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\W5S]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yG8D]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZH8iyJm]
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------

P2P Software

I see you have P2P software ( BearShare) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

BearShare
BearShare MediaBar

WeatherBug <<<the free version is ad-supported containing both banner and pop-up ads.

Additional info: http://ww3.weatherbug.com/aws/default.asp?cid=306

Viewpoint Manager
Viewpoint Media Player <<<this is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

--------------------------------------------------------------

Download and install CleanUp! but do not run it yet.

--------------------------------------------------------------

Enter Safe Mode
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
  3. Instead of Windows loading as normal, a menu should appear
  4. Use the up arrow key to highlight Safe Mode and press Enter.
  5. Login with your usual account
  6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - @$¬WARE - (no file)
O2 - BHO: (no name) - er - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - `=¬07962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - =¬497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - ¨¬¨¬4-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - °>¬WARE - (no file)
O2 - BHO: (no name) - ˆ$¬4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file)
O4 - HKLM\..\Run: [f85403d8c76b] C:\WINDOWS\system32\ciodm957.exe
O4 - HKLM\..\Run: [89916776bf62] C:\WINDOWS\system32\adsmsext.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [JBqERRetR] dxttract.exe
O4 - HKCU\..\Run: [Bhflcyx] C:\WINDOWS\system32\fast.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm118YYUS
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\WINDOWS\system32\fast.exe
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint
C:\WINDOWS\system32\SearchBar.htm
C:\Program Files\MyWebSearch
C:\WINDOWS\system32\a3d65227.exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

--------------------------------------------------------------

Please run Deckard's System Scanner again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config
Click on "Check All"
Uncheck "Temp Cleanup"

Click Scan!

This time only post the results from main.txt log.

--------------------------------------------------------------

Please reply back with the following:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log Where mmddyyyy_hhmmss is the date of the tool run.
main.txt (from DSS)
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 02-18-2008 at 11:55 AM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-22-2008, 10:45 PM   #15 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Sorry it took a while for me to reply back, i've been looking for a job. Anyway i might have done something bad.... when the OTMoveit2 finished running i accidentally rebooted it without copying what had happened. Hope thats not too bad, sorry about that. Here are the results from the dss scan.



Deckard's System Scanner v20071014.68
Run by anthony mckenzie on 2008-02-23 00:38:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2008-02-23 05:39:09 UTC - RP821 - Deckard's System Scanner Restore Point
87: 2008-02-22 03:41:47 UTC - RP820 - System Checkpoint
86: 2008-02-21 02:21:03 UTC - RP819 - Software Distribution Service 3.0
85: 2008-02-20 23:14:36 UTC - RP818 - Removed Adobe Photoshop Album 2.0 Starter Edition
84: 2008-02-20 17:56:06 UTC - RP817 - System Checkpoint


-- First Restore Point --
1: 2007-11-26 00:54:12 UTC - RP734 - System Checkpoint




-- HijackThis (run as anthony mckenzie.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:23 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\MotorolaDAP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1107110660\ee\AOLSoftware.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\AOL\1107110660\ee\aolsoftware.exe
c:\program files\common files\aol\1107110660\ee\anotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anthony mckenzie\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ANTHON~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107110660\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107110660\ee\SSCRun.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7c2a160b449f470084314d828b259c78
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7c2a160b449f470084314d828b259c78
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://216.212.195.165/plugin/h263ctrl.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - Unknown owner - C:\Program Files\Common Files\AOL\1107110660\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9628 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080222-233956-236 O4 - HKLM\..\Run: [f85403d8c76b] C:\WINDOWS\system32\ciodm957.exe
backup-20080222-233956-249 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080222-233956-314 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
backup-20080222-233956-315 O4 - HKLM\..\Run: [89916776bf62] C:\WINDOWS\system32\adsmsext.exe
backup-20080222-233956-355 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm118YYUS
backup-20080222-233956-395 O2 - BHO: (no name) - `=¬07962-6F74-2D53-2644-206D7942484F} - (no file)
backup-20080222-233956-454 O2 - BHO: (no name) - ˆ$¬4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file)
backup-20080222-233956-461 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
backup-20080222-233956-473 O4 - HKCU\..\Run: [Bhflcyx] C:\WINDOWS\system32\fast.exe
backup-20080222-233956-490 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
backup-20080222-233956-507 O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
backup-20080222-233956-522 O4 - HKCU\..\Run: [JBqERRetR] dxttract.exe
backup-20080222-233956-535 O2 - BHO: (no name) - ¨¬¨¬4-4C02-4ABF-8ECC-5164760863C6} - (no file)
backup-20080222-233956-666 O2 - BHO: (no name) - er - (no file)
backup-20080222-233956-708 O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
backup-20080222-233956-750 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
backup-20080222-233956-774 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
backup-20080222-233956-807 O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (file missing)
backup-20080222-233956-810 O2 - BHO: (no name) - °>¬WARE - (no file)
backup-20080222-233956-825 O2 - BHO: (no name) - =¬497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
backup-20080222-233956-847 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
backup-20080222-233956-871 O2 - BHO: (no name) - SOFTWARE - (no file)
backup-20080222-233956-911 O2 - BHO: (no name) - @$¬WARE - (no file)
backup-20080222-233956-918 R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
backup-20080222-233957-910 O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

-- File Associations -----------------------------------------------------------

.cmd - .txt - DefaultIcon - unable to read value
.cmd - .txt - shell\open\command - unable to read value
.cmd - .txt - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 YPN30F - c:\windows\system32\drivers\ypn30f.sys <Not Verified; Samsung Electronics Co., LTD.; Samsung YP-N30>
R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 CA561 (Micro Webcam) - c:\windows\system32\drivers\spca561.sys <Not Verified; SP; Microsoft(R) Windows NT(R) Operating System>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S4 spcstb - c:\windows\system32\drivers\spcstb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 MotorolaDAP (Motorola Digital Audio Player Manager) - c:\windows\system32\motoroladap.exe <Not Verified; Motorola Inc.; Motorola Digital Audio Player Manager>

S2 aolavupd (AOL Antivirus Update Service) - "c:\program files\common files\aol\1107110660\ee\services\sscfirewallplugin\ver1_205_1_1\aolavupd.exe" (file missing)
S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Westell WireSpeed Dual Connect Modem
Device ID: USB\VID_06A9&PID_0005\07B404386397
Manufacturer:
Name: Westell WireSpeed Dual Connect Modem
PNP Device ID: USB\VID_06A9&PID_0005\07B404386397
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 2544)
2004-11-19 12:54:26 77824 --a------ C:\Program Files\Common Files\aolshare\aolshcpy.dll <Not Verified; America Online Inc.; aolshcpy Module>


-- Scheduled Tasks -------------------------------------------------------------

2008-02-23 00:40:00 388 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5CBB1D54-07E4-4600-9333-DD9AF7B3DB96}.job
2008-02-23 00:39:00 504 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-Visitors !).job
2008-02-23 00:39:00 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-Kristi).job
2008-02-23 00:39:00 498 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-cameron).job
2008-02-23 00:38:00 490 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-max).job
2008-02-23 00:38:00 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-kids).job
2008-02-23 00:38:00 516 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-anthony mckenzie).job
2008-02-23 00:37:00 512 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-kelly mckenzie).job
2008-02-23 00:37:00 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DDZZVS11-ashley).job
2008-02-22 22:52:00 258 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-02-21 09:00:00 216 --a------ C:\WINDOWS\Tasks\rundll32.job
2008-02-21 09:00:00 166 --a------ C:\WINDOWS\Tasks\New Task.job


-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-20 23:57:17 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-20 23:49:11 0 d-------- C:\Program Files\Bonjour
2008-02-20 23:23:40 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-20 17:53:39 0 d-------- C:\Program Files\Driver-Soft
2008-02-20 17:37:58 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-02-17 02:08:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Viewpoint
2008-02-16 21:45:29 0 d-------- C:\Program Files\Trend Micro
2008-02-06 16:58:58 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-06 16:40:52 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-06 01:07:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-06 01:07:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-06 01:07:32 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-06 01:07:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-06 01:07:32 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-06 01:07:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-06 01:07:32 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-06 01:07:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-06 01:07:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-06 01:07:31 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-02-20 23:49:02 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-20 23:23:40 0 d-------- C:\Program Files\Common Files
2008-02-20 18:18:24 0 d-------- C:\Program Files\Viewpoint
2008-02-20 18:17:17 0 d-------- C:\Program Files\AWS
2008-02-06 21:51:10 0 d-------- C:\Program Files\Zune
2008-02-06 21:50:27 0 d-------- C:\Program Files\Windows Live Toolbar
2008-02-06 21:45:21 0 d-------- C:\Program Files\MSN Messenger
2008-02-06 21:38:24 0 d-------- C:\Program Files\Common Files\aolshare


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [08/27/2003 10:00 AM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [08/21/2003 05:10 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1107110660\ee\AOLSoftware.exe" [09/25/2006 07:52 PM]
"OASClnt"="C:\Program Files\mcafee.com\antivirus\oasclnt.exe" [08/18/2005 03:57 PM]
"EmailScan"="C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" [10/19/2005 11:13 AM]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [03/07/2006 03:05 PM]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [08/08/2003 05:02 PM]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [08/17/2003 08:50 PM]
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1107110660\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe" [11/20/2006 03:42 PM]
"sscRun"="C:\Program Files\Common Files\AOL\1107110660\ee\SSCRun.exe" [11/20/2006 03:42 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/07/2004 08:47 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 02:56 AM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [11/15/2007 09:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 11:54 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\anthony mckenzie\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [8/8/2004 12:15:03 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]
"C:\Program Files\AIM\AIM Pro\aimpro.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1107110660\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DK]
C:\documents and settings\anthony mckenzie\local settings\temp\DK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1107110660\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"




-- End of Deckard's System Scanner: finished at 2008-02-23 00:41:21 ------------
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2008, 11:49 AM   #16 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Not a problem. We can still easily find the log.

Please navigate to the following folder to find the log:


c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log


Where mmddyyyy_hhmmss is the date of the tool run.

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following logs:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Panda Online Scan Results
How is the system behaving?
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2008, 06:17 AM   #17 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
System is behaving fine.... but that scan says i still have malware and i had 1 virus... anyway here are the results from the scans, first is the otmoveit.

File move failed. C:\WINDOWS\system32\fast.exe scheduled to be moved on reboot.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 moved successfully.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 moved successfully.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 moved successfully.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 moved successfully.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint\Viewpoint Experience Technology\Resources moved successfully.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint\Viewpoint Experience Technology moved successfully.
C:\Documents and Settings\anthony mckenzie\Application Data\Viewpoint moved successfully.
File/Folder C:\WINDOWS\system32\SearchBar.htm not found.
File/Folder C:\Program Files\MyWebSearch not found.
File/Folder C:\WINDOWS\system32\a3d65227.exe not found.

OTMoveIt2 v1.0.20 log created on 02232008_003004

Panda Activescan is attatched... Thanks for all of your help i greatly appreciate it.
Attached Files
File Type: txt Activescan.txt (494.1 KB, 1 views)
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2008, 10:22 AM   #18 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Most of what is showing in your logs are tracking cookies and temp files, which we will take care of this fix.

--------------------------------------------------------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\Documents and Settings\anthony mckenzie\Application Data\tvmcwrd.dll

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

--------------------------------------------------------------

Please download ATF Cleaner

* Close all opened web browers
* Double-click ATF-Cleaner.exe to run the program.
* Click Select All found at the bottom of the list.
* Click the Empty Selected button.

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

* Click Opera at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

--------------------------------------------------------------

Please reply back with the following:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log Where mmddyyyy_hhmmss is the date of the tool run.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2008, 11:27 AM   #19 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 24
OS: xp


Re: HJT Log
Ok i ran the Atf cleaner and it freed 152 mega bytes and here's the results of the Otmoveit2 scan


LoadLibrary failed for C:\Documents and Settings\anthony mckenzie\Application Data\tvmcwrd.dll
C:\Documents and Settings\anthony mckenzie\Application Data\tvmcwrd.dll NOT unregistered.
C:\Documents and Settings\anthony mckenzie\Application Data\tvmcwrd.dll moved successfully.

OTMoveIt2 v1.0.20 log created on 02242008_132214
HyperLight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2008, 01:04 PM   #20 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: HJT Log
Hi HyperLight,

Well done, your logs are clean! There are just a few more things I would like you to do.
  • Double click on OTMoveIt2.exe
  • Click on the Cleanup! button.
  • You will then be prompted to begin the cleanup process. Click Yes.
  • Close OTMoveIt2 after the task has completed.


Reset System Restore

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
  • SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
  • IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
  • SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
Please respond to this thread one more time so we can mark this thread as resolved.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 02-24-2008 at 01:06 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:17 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85