|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-10-2008, 03:23 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Multiple pop ups and spyware problems
I am having things pop up like: Trojan-Spy.Win32@mx, Win32.Netsky.P@mm, SpyWorm.Win32, ipexewin.exe, audiopitusr.exe, exeiptransfer.exe, Backdoor.Ginwui.A and Win32.Bagle.FJ. Also I am getting messages from AntiSpyCheck Alert and a pop up that says System Alert: Malware threats. I was able to update but when running Panda Activescan 2.0 I could not get a registration email, so I ran it without registration.
Deckard's System Scanner v20071014.68 Run by Jim on 2008-08-10 17:47:05 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 58: 2008-08-10 21:47:18 UTC - RP1718 - Deckard's System Scanner Restore Point 57: 2008-08-10 21:24:04 UTC - RP1717 - Software Distribution Service 3.0 56: 2008-08-10 20:32:48 UTC - RP1716 - Software Distribution Service 3.0 55: 2008-08-10 20:04:57 UTC - RP1715 - Software Distribution Service 3.0 54: 2008-08-08 18:50:56 UTC - RP1714 - System Checkpoint -- First Restore Point -- 1: 2008-06-02 06  59 UTC - RP1661 - System CheckpointBacked up registry hives. Performed disk cleanup. Total Physical Memory: 255 MiB (512 MiB recommended). -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-08-10 17:51:30 Platform: Windows XP Service Pack 3 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\SYSTEM32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\SYSTEM32\services.exe C:\WINDOWS\SYSTEM32\lsass.exe C:\WINDOWS\SYSTEM32\svchost.exe C:\WINDOWS\SYSTEM32\svchost.exe C:\WINDOWS\SYSTEM32\spoolsv.exe C:\WINDOWS\SYSTEM32\svchost.exe C:\WINDOWS\SYSTEM32\svchost.exe C:\WINDOWS\SYSTEM32\nvsvc32.exe C:\WINDOWS\SYSTEM32\svchost.exe C:\WINDOWS\SYSTEM32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Applications\wcs.exe C:\Program Files\Applications\iebtm.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\WINDOWS\SYSTEM32\ctfmon.exe C:\WINDOWS\SYSTEM32\ubpr01.exe C:\Program Files\ASpyC\ASpyC.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Applications\wcm.exe C:\Program Files\Applications\iebtmm.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\SYSTEM32\wuauclt.exe C:\Documents and Settings\Jim\Desktop\dss.exe C:\Program Files\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: 995937 helper - {1E1465F3-56CF-4FC4-8684-1BD6245AA30D} - C:\WINDOWS\SYSTEM32\995937\995937.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: (no name) - {C7FF97C5-161B-4E80-A8B6-98A75BA9A9B1} - C:\WINDOWS\system32\ir4ess.dll (file missing) O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Applications\iebt.dll O2 - BHO: SpyWarningBHO Class - {F58FF278-2198-403b-9170-C95022A194C6} - C:\Program Files\ASpyC\SpyWarning.dll (file missing) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O3 - Toolbar: Internet Service - {254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Program Files\Applications\iebr.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe O4 - HKCU\..\Run: [ASpyC] "C:\Program Files\ASpyC\ASpyC.exe" O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Applications\wcs.exe O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe O4 - HKUS\S-1-5-18\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.co...636.5219444444 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ir4ess - C:\WINDOWS\system32\ir4ess.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing) O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\SYSTEM32\zgyhw.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\acsd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe -- End of file - 9565 bytes -- File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 PrtSeqRd - c:\windows\system32\drivers\prtseqrd.sys <Not Verified; Roxio; Take Two> R1 Cdr4_2K - c:\windows\system32\drivers\cdr4_2k.sys <Not Verified; Roxio; Roxio's CD-R Helper Drivers> R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R2 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Roxio's CDRAL> R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT> S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver> S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2008-07-10 and 2008-08-10 ----------------------------- 2008-08-10 17:09:08 0 d-------- C:\WINDOWS\Prefetch 2008-08-10 16:55:55 0 d-------- C:\WINDOWS\system32\scripting 2008-08-10 16:55:51 0 d-------- C:\WINDOWS\l2schemas 2008-08-10 16:55:50 0 d-------- C:\WINDOWS\system32\en 2008-08-10 16:49:31 0 d-------- C:\WINDOWS\network diagnostic 2008-08-10 15:53:42 0 d-------- C:\Program Files\SpywareBlaster 2008-08-10 15:52:47 0 d-------- C:\ie-spyad_zo 2008-08-10 14:11:23 0 d-------- C:\Program Files\Panda Security 2008-08-09 01:42:41 27648 --a------ C:\WINDOWS\system32\ubpr01.exe 2008-08-09 01:42:41 0 d-------- C:\WINDOWS\system32\995937 2008-08-09 01:42:40 0 d-------- C:\Program Files\ASpyC 2008-08-09 01:42:05 0 d-------- C:\Program Files\Applications -- Find3M Report --------------------------------------------------------------- 2008-08-10 17:46:19 55724 --a------ C:\Documents and Settings\Jim\Application Data\client_gateway.log 2008-08-10 17:44:47 471 --a------ C:\Documents and Settings\Jim\Application Data\UpdateStore.xml 2008-08-10 17:44:47 376 --a------ C:\Documents and Settings\Jim\Application Data\SoftwarePackageStore.xml 2008-08-10 17:44:47 14692 --a------ C:\Documents and Settings\Jim\Application Data\EventStore.xml 2008-08-10 17:44:47 376 --a------ C:\Documents and Settings\Jim\Application Data\ConfigurationStore.xml 2008-08-10 17:44:47 475 --a------ C:\Documents and Settings\Jim\Application Data\CampaignStore.xml 2008-08-10 17:02:08 204916 --a------ C:\Documents and Settings\Jim\Application Data\client_gateway.log.1 2008-08-10 16:56:25 0 d-------- C:\Program Files\Messenger 2008-08-10 16:55:49 0 d-------- C:\Program Files\Movie Maker 2008-08-08 22:45:37 204954 --a------ C:\Documents and Settings\Jim\Application Data\client_gateway.log.2 2008-08-08 13:28:34 204841 --a------ C:\Documents and Settings\Jim\Application Data\client_gateway.log.3 2008-08-08 12:51:19 13312 --a-s---- C:\WINDOWS\system32\zgyhw.dll 2008-08-07 15:12:54 19056 --a------ C:\WINDOWS\mozver.dat 2008-08-07 14:15:26 204806 --a------ C:\Documents and Settings\Jim\Application Data\client_gateway.log.4 2008-06-18 14:23:06 0 d-------- C:\Program Files\Web Publish 2008-06-15 22:33:52 0 d-------- C:\Program Files\The Print Shop 21 2008-06-15 21:46:30 0 d-------- C:\Program Files\Common Files\Broderbund 2008-06-15 21:45:13 0 d-------- C:\Program Files\Common Files 2008-06-15 19:53:23 0 d-------- C:\Program Files\MSN Messenger 2008-06-14 21:56:54 0 d-------- C:\Documents and Settings\Jim\Application Data\HPAppData -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}] 03/02/2007 05:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}] 03/02/2007 05:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1465F3-56CF-4FC4-8684-1BD6245AA30D}] 08/09/2008 01:42 AM 15360 --a------ C:\WINDOWS\system32\995937\995937.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7FF97C5-161B-4E80-A8B6-98A75BA9A9B1}] C:\WINDOWS\system32\ir4ess.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}] 08/10/2008 05:46 PM 7680 --a------ C:\Program Files\Applications\iebt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F58FF278-2198-403b-9170-C95022A194C6}] C:\Program Files\ASpyC\SpyWarning.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{254B87BB-510D-41FA-A887-52C5FA9BE585}"= C:\Program Files\Applications\iebr.dll [08/09/2008 01:42 AM 86016] [-HKEY_CLASSES_ROOT\CLSID\{254B87BB-510D-41FA-A887-52C5FA9BE585}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 03:16 PM] "nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/06/2003 03:16 PM] "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [05/03/2007 02:12 PM] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 11:32 PM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 10:34 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM] "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [] "wblogon"="C:\WINDOWS\system32\ubpr01.exe" [08/09/2008 01:42 AM] "ASpyC"="C:\Program Files\ASpyC\ASpyC.exe" [08/04/2008 08:59 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Symantec Network Driver Update Warning"=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE "ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe "Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe C:\Documents and Settings\Jim\Start Menu\Programs\Startup\ DESKTOP.INI [11/15/2001 8:31:16 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ DESKTOP.INI [11/15/2001 8:31:16 AM] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3/11/2007 10:26:24 PM] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "some"=C:\Program Files\Applications\wcs.exe "start"=C:\Program Files\Applications\iebtm.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2f199d0e-f3e7-41a7-a060-816c24cceea0}"= C:\WINDOWS\system32\zgyhw.dll [08/08/2008 12:51 PM 13312] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ir4ess] ir4ess.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt hpqcxs08 hpqddsvc eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs napagent hkmsvc -- End of Deckard's System Scanner: finished at 2008-08-10 17:53:03 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 3.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz Percentage of Memory in Use: 70% Physical Memory (total/avail): 254.8 MiB / 76.39 MiB Pagefile Memory (total/avail): 625.84 MiB / 430.68 MiB Virtual Memory (total/avail): 2047.88 MiB / 1918.78 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 37.24 GiB total, 12.13 GiB free. D: is CDROM (No Media) E: is Removable (No Media) \\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions \PARTITION0 - Unknown - 31.35 MiB \PARTITION1 (bootable) - Installable File System - 37.24 GiB - C: \\.\PHYSICALDRIVE1 - HP Photosmart C7200 USB Device -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Jim\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=OFFICE ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Jim LOGONSERVER=\\OFFICE NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0204 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Jim\LOCALS~1\Temp TMP=C:\DOCUME~1\Jim\LOCALS~1\Temp USERDOMAIN=OFFICE USERNAME=Jim USERPROFILE=C:\Documents and Settings\Jim windir=C:\WINDOWS __COMPAT_LAYER=EnableNXShowUI -- User Profiles --------------------------------------------------------------- Jim (admin) Christopher (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7} Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log AT&T Internet Security Wizard 1.5.11 --> "C:\Program Files\AT&T\Internet Security Wizard\unins000.exe" Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\HxFSETUP.EXE -U -IVEN_14F1&DEV_2016&SUBSYS_021913E0 Dell | Support --> MsiExec.exe /X{91E8A85F-2960-40ED-BA84-7F4567BB00C0} Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956} Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288} DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN Easy CD Creator 5 Platinum --> MsiExec.exe /I{8851E12C-0EF9-11D4-A788-009027ABA5D0} Family Tree Maker 7.0 --> C:\WINDOWS\IsUninst.exe -fC:\FTW\Uninst.isu FinePixViewer Ver.4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE" FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE" HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F} HP Customer Participation Program 9.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat HP OCR Software 9.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat HP Photosmart All-In-One Software 9.0 --> C:\Program Files\HP\Digital Imaging\{D64BC2CF-0F12-47d7-B412-B4F3FD684253}\setup\hpzscr01.exe -datfile hposcr21.dat HP Photosmart Essential 2.01 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat HP Smart Web Printing --> MsiExec.exe /X{415CDA53-9100-476F-A7B2-476691E117C7} HP Solution Center 9.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F} HPSSupply --> MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3} IEBrowse Tool --> "C:\Program Files\Applications\iebtu.exe" IExplorer Bar --> "C:\Program Files\Applications\iebu.exe" ImageMixer VCD2 for FinePix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{934E9442-D305-4ACF-AD87-A6C11D677CB9}\setup.exe" Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe" Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log MasterSplitter Program --> C:\Program Files\MasterSplitter\uninstal.exe Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169} Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7} Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06} Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61} Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7} Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9} Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\ Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704} Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517} MicroStaff WINASPI --> C:\MWASPI\uninst.exe Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel Mshow Client --> C:\PROGRA~1\MSHOWC~1\UNWISE.EXE C:\PROGRA~1\MSHOWC~1\INSTALL.LOG MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5} MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)" NVIDIA Display Driver --> C:\WINDOWS\system32\nvudisp.exe Uninstall C:\WINDOWS\system32\nvdisp.nvu,NVIDIA Display Driver NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe RAW FILE CONVERTER LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\SETUP.EXE" -l0x9 RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Symantec Network Driver Update --> MsiExec.exe /X{6AF90EF6-F7F9-466C-99F4-1774826FBB40} The Print Shop 21 --> MsiExec.exe /I{9EF149EC-2375-429A-910D-1EFA489B67F6} Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\\mtsAxInstaller.exe /u Warning Center --> "C:\Program Files\Applications\wcu.exe" Windows Safety Alert --> C:\Documents and Settings\Jim\Local Settings\Temp\wgve2.exe /del Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" -- Application Event Log ------------------------------------------------------- Event Record #/Type12820 / Warning Event Submitted/Written: 08/10/2008 04:58:01 PM Event ID/Source: 63 / WinMgmt Event Description: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Event Record #/Type12807 / Error Event Submitted/Written: 08/09/2008 00:41:31 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application netscp.exe, version 7.2.0.0, faulting module npswf32.dll, version 6.0.79.0, fault address 0x0002c089. Processing media-specific event for [netscp.exe!ws!] Event Record #/Type12764 / Error Event Submitted/Written: 07/25/2008 09 00 PMEvent ID/Source: 1001 / Application Error Event Description: Fault bucket 130668394. The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected. Event Record #/Type12763 / Error Event Submitted/Written: 07/25/2008 09:05:50 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application netscp.exe, version 7.2.0.0, faulting module xpcom.dll, version 1.7.20040.14879, fault address 0x0000ee60. Processing media-specific event for [netscp.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type60859 / Warning Event Submitted/Written: 08/10/2008 05:09:57 PM Event ID/Source: 20 / Print Event Description: Printer Driver HP Photosmart C7200 series for Windows NT x86 Version-3 was added or updated. Files:- %4. Event Record #/Type60858 / Warning Event Submitted/Written: 08/10/2008 05:09:42 PM Event ID/Source: 20 / Print Event Description: Printer Driver HP Photosmart C7200 series fax for Windows NT x86 Version-3 was added or updated. Files:- %4. Event Record #/Type60723 / Error Event Submitted/Written: 08/10/2008 00:33:27 PM Event ID/Source: 7023 / Service Control Manager Event Description: The Application Management service terminated with the following error: %%126 Event Record #/Type60720 / Error Event Submitted/Written: 08/10/2008 00:33:27 PM Event ID/Source: 7023 / Service Control Manager Event Description: The Application Management service terminated with the following error: %%126 Event Record #/Type60717 / Error Event Submitted/Written: 08/10/2008 00:33:27 PM Event ID/Source: 7023 / Service Control Manager Event Description: The Application Management service terminated with the following error: %%126 -- End of Deckard's System Scanner: finished at 2008-08-10 17:53:03 ------------ ;*********************************************************************************************************************************************************************************** ANALYSIS: 2008-08-10 15:37:47 PROTECTIONS: 0 MALWARE: 45 SUSPECTS: 2 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00024469 Exploit/ObjectData HackTools No 0 Yes No C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\O9IZKDE3\d[1].htm 00035937 adware/exact.searchbar Adware No 0 Yes No c:\documents and settings\jim\local settings\temp\blank.gif 00040067 spyware/shopnav Spyware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\pcid 00040471 adware/downloadware Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85A702BA-EA8F-4B83-AA07-07A5186ACD7E} 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Local Settings\Temp\Cookies\christopher@trafficmp[1].txt 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@trafficmp[1].txt 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@casalemedia[1].txt 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.casalemedia.com/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.doubleclick.net/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.doubleclick.net/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.doubleclick.net/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.doubleclick.net/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.atdmt.com/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.atdmt.com/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Local Settings\Temp\Cookies\christopher@atdmt[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.atdmt.com/] 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@247realmedia[1].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.247realmedia.com/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@fastclick[1].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.fastclick.net/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.tribalfusion.com/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.tribalfusion.com/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@tribalfusion[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.tribalfusion.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.mediaplex.com/] 00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.revenue.net/] 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.com.com/] 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.com.com/] 00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.azjmp.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.statcounter.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@ad.yieldmanager[2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[ad.yieldmanager.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.apmebf.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.apmebf.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@apmebf[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@serving-sys[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.serving-sys.com/] 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.bs.serving-sys.com/] 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@bs.serving-sys[1].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[server.iad.liveperson.net/] 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[server.iad.liveperson.net/hc/90079178] 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[server.iad.liveperson.net/hc/4871802] 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[server.iad.liveperson.net/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.advertising.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.ads.pointroll.com/] 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.overture.com/] 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.overture.com/] 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.overture.com/] 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.overture.com/] 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.overture.com/] 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.overture.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.realmedia.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.realmedia.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@realmedia[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.questionmarket.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.questionmarket.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.questionmarket.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.questionmarket.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@zedo[2].txt 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.bluestreak.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@adrevolver[2].txt 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.adrevolver.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.adrevolver.com/] 00186469 Cookie/Reliablestats TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Cookies\christopher@stats1.reliablestats[1].txt 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.adultfriendfinder.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.adultfriendfinder.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.adultfriendfinder.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.adultfriendfinder.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.go.com/] 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[searchportal.information.com/] 00200583 adware/block-checker Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.net\ 00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Cookies\jim@did-it[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.atwola.com/] 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.atwola.com/] 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Netscape\NSB\Profiles\0db8j5nz.default\cookies.txt[.atwola.com/] 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Christopher\Application Data\Mozilla\Profiles\default\9zpy115j.slt\cookies.txt[.atwola.com/] 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\cookies.txt[.ads.addynamix.com/] 00501626 Spyware/Clipgenie Spyware No 1 No No C:\Documents and Settings\Christopher\Local Settings\Temp\upd2F.tmp[ME.dll] 00509737 Application/WinFixer2006 HackTools No 0 Yes No C:\Program Files\Common Files\Companion Wizard\WapCHK.dll 03467271 Application/AntiSpyCheck HackTools No 0 Yes No C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162039.exe 03469123 Application/AntiSpyCheck HackTools Yes 0 Yes No C:\Program Files\ASpyC\ASpyC.exe 03470658 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162040.dll 03471045 Generic Malware Virus/Trojan Yes 0 Yes No C:\WINDOWS\system32\ubpr01.exe 03472466 Adware/MalwareAlarm Adware No 1 Yes No C:\Documents and Settings\Jim\Local Settings\Temp\wgve2.exe 03472470 Trj/Downloader.MDW Virus/Trojan Yes 2 Yes No C:\WINDOWS\system32\zgyhw.dll ;=================================================================================================================================================================================== SUSPECTS Sent Location Z. ;=================================================================================================================================================================================== No C:\Program Files\Applications\iebtmm.exe Z. No C:\Program Files\Applications\iebtmm.exe Z. ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description Z. ;=================================================================================================================================================================================== 182048 HIGH MS07-069 Z. 176382 HIGH MS07-057 Z. 170907 HIGH MS07-046 Z. 170906 HIGH MS07-045 Z. 170904 HIGH MS07-043 Z. 164913 HIGH MS07-033 Z. 160623 HIGH MS07-027 Z. 150253 HIGH MS07-016 Z. 133387 MEDIUM MS06-065 Z. ;=================================================================================================================================================================================== |
|
     |
| Sponsored Links |
|
08-18-2008, 06:48 AM
|
#3 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Hello and welcome to TSF
Apologises for the delay getting to your log. The helpers here are all volunteers and we have been very busy lately. If you are still having malware problems, follow instructions below. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please DO NOT Attach logs to your posts unless you are advised to do so. ========== Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: IEBrowse Toolcolor<---IEBrowse Tool is a Trojan typically installed with rogue anti-spyware programs. IExplorer Bar<----If you do not know what this is or you did not install it, please remove Viewpoint Media Player<---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 Additional Information Here and Here Warning Center<----Warning Center is a Trojan typically installed with rogue anti-spyware programs. Windows Safety Alert<---- Related to the rogue anti-spyware program Malware-Wiped as well as other SmitFraud variants. Do Not reboot if requested at this time ============ Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3   -------------------------------------------------------------------- Double click on Combo-Fix.exe & follow the prompts.
Do not mouseclick combofix's window while it's running. That may cause it to stall =========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========= Logs Required C:\Combofix.txt Hijackthis Log |
|
|
|
|
08-18-2008, 06:14 PM
|
#4 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
ComboFix 08-08-18.01 - Jim 2008-08-18 20:51:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.62 [GMT -4:00] Running from: C:\Documents and Settings\Jim\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\995937 C:\WINDOWS\SYSTEM32\995937\995937.dll . ---- Previous Run ------- . C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\interclick.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\interclick.com\ud.sol C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\www.broadcaster.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Documents and Settings\Christopher\Cookies\christopher@myspace[2].txt C:\Documents and Settings\Christopher\UserData C:\Documents and Settings\Christopher\UserData\F2WNBX4H\DraftMsgData[1].xml C:\Documents and Settings\Christopher\UserData\index.dat C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\#SharedObjects\8B3ZMU6W\interclick.com C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\#SharedObjects\8B3ZMU6W\interclick.com\ud.sol C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Jim\My Documents\My Documents.url C:\Documents and Settings\Jim\My Documents\My Music\My Music.url C:\Documents and Settings\Jim\My Documents\My Pictures\My Pictures.url C:\Documents and Settings\Jim\My Documents\My Videos\My Video.url C:\Documents and Settings\Jim\UserData C:\Documents and Settings\Jim\UserData\0HMNO1IN\oWindowsUpdate[1].xml C:\Documents and Settings\Jim\UserData\0HMNO1IN\oWindowsUpdate[2].xml C:\Documents and Settings\Jim\UserData\G9Q3GDMB\oWindowsUpdate[1].xml C:\Documents and Settings\Jim\UserData\G9Q3GDMB\oWindowsUpdate[2].xml C:\Documents and Settings\Jim\UserData\index.dat C:\Documents and Settings\Jim\UserData\WPYVGHI3\oWindowsUpdate[1].xml C:\Program Files\Applications\myd.ico C:\Program Files\Applications\mym.ico C:\Program Files\Applications\myp.ico C:\Program Files\Applications\myv.ico C:\Program Files\Applications\ot.ico C:\Program Files\Applications\ts.ico C:\Program Files\ASpyC C:\Program Files\ASpyC\ASpyC.exe C:\Program Files\Common Files\companion wizard C:\Program Files\Common Files\companion wizard\WapCHK.dll C:\WINDOWS\SYSTEM32\995937 C:\WINDOWS\SYSTEM32\995937\995937.dll C:\WINDOWS\system32\AutoRun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FOPN -------\Legacy_VSPF -------\Legacy_VSPF_HK ((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 ))))))))))))))))))))))))))))))) . 2008-08-18 20:55 . 2008-08-18 20:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\995937 2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll 2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll 2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo 2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security 2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-08-09 01:42 . 2008-08-18 20:35 <DIR> d-------- C:\Program Files\Applications 2008-08-09 01:42 . 2008-08-09 01:42 27,648 --a------ C:\WINDOWS\SYSTEM32\ubpr01.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-19 00:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk 2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT 2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1465F3-56CF-4FC4-8684-1BD6245AA30D}] 2008-08-18 20:57 15360 --a------ C:\WINDOWS\system32\995937\995937.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] "wblogon"="C:\WINDOWS\system32\ubpr01.exe" [2008-08-09 01:42 27648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152] "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{2f199d0e-f3e7-41a7-a060-816c24cceea0}"= "C:\WINDOWS\system32\zgyhw.dll" [2008-08-08 12:51 13312] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48] S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . - - - - ORPHANS REMOVED - - - - BHO-{C7FF97C5-161B-4E80-A8B6-98A75BA9A9B1} - C:\WINDOWS\system32\ir4ess.dll HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe HKCU-Run-ASpyC - C:\Program Files\ASpyC\ASpyC.exe HKU-Default-Run-Symantec Network Driver Update Warning - C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe Notify-ir4ess - ir4ess.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.bingpage.com/?cm=710735<=2&it=2008-08-09%2001%3A42%3A00&dt=2008-08-18%2020%3A21%3A06&q=http://home.bellsouth.net/ R0 -: HKCU-Main,SearchMigratedDefaultUrl = hxxp://internetsearchservice.com/search?q={searchTerms} R0 -: HKCU-Main,Default_Search_URL = hxxp://internetsearchservice.com R0 -: HKLM-Main,Search Bar = hxxp://internetsearchservice.com/ie6.html R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms} R1 -: HKLM-Internet Explorer,SearchURL = hxxp://internetsearchservice.com O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 -: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-18 20:57:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\nvsvc32.exe C:\WINDOWS\SYSTEM32\wdfmgr.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe . ************************************************************************** . Completion time: 2008-08-18 21:05:34 - machine was rebooted [Jim] ComboFix-quarantined-files.txt 2008-08-19 01:05:28 Pre-Run: 13,794,721,792 bytes free Post-Run: 13,773,266,944 bytes free 187 --- E O F --- 2008-08-19 00:05:07 O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O20 - AppInit_DLLs: O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\system32\zgyhw.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6484 bytes |
|
|
|
|
08-19-2008, 06:40 AM
|
#6 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
Is the last bit of the last post from me not it? I'm not sure. It's the one with 08,09,012,016.020,022,023 at the beginning of the lines. If thats not it, I will send it to you around 8:00p.m. Thanks
|
|
|
|
|
08-19-2008, 07:00 AM
|
#7 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Quote:
Please download HijackThis to your desktop Alternate link This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. |
|
|
|
|
|
08-19-2008, 04:08 PM
|
#8 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:31 PM, on 8/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ubpr01.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O20 - AppInit_DLLs: O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\system32\zgyhw.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6329 bytes |
|
|
|
|
08-19-2008, 04:26 PM
|
#9 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Hello again
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\system32\zgyhw.dll Please remember to close all other windows, including browsers then click Fix checked. =========== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s). ============= I see no evidence of an AntiVirus program on your system. This must be resolved. Go Here and download/install and run a scan, post the log from that scan in your reply. You can choose an antivirus of your own if you wish. ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========= Logs Required C;\Combofix.txt Avira scan results(or another) Hijackthis Log An update on how your system is behaving. |
|
|
|
|
|
08-19-2008, 07:43 PM
|
#10 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
ComboFix 08-08-18.05 - Jim 2008-08-19 20:46:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.95 [GMT -4:00] Running from: C:\Documents and Settings\Jim\Desktop\Combo-Fix.exe Command switches used :: C:\Documents and Settings\Jim\Desktop\CFscript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\995937 C:\WINDOWS\SYSTEM32\995937\995937.dll C:\WINDOWS\SYSTEM32\ubpr01.exe C:\WINDOWS\system32\zgyhw.dll . ((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 ))))))))))))))))))))))))))))))) . 2008-08-18 21:10 . 2008-08-18 21:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll 2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll 2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo 2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security 2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-08-09 01:42 . 2008-08-18 20:35 <DIR> d-------- C:\Program Files\Applications . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-20 00:41 --------- d-----w C:\Documents and Settings\Jim\Application Data\HPAppData 2008-08-20 00:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll 2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk 2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT 2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2008-08-18_21.04.55.90 ))))))))))))))))))))))))))))))))))))))))) . - 2007-08-13 23:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe + 2007-08-13 22:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe + 2006-09-23 17:12:50 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll + 2007-08-13 22:42:54 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll - 2008-06-23 16:57:29 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll + 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll + 2007-08-13 22:45:18 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll + 2006-09-23 17:12:50 1,497,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll + 2006-09-23 17:12:50 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll - 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll + 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll - 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe + 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe - 2008-08-19 00:53:20 52,968 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT + 2008-08-19 01:01:16 52,968 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT - 2008-08-19 00:53:20 380,680 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT + 2008-08-19 01:01:16 380,680 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152] "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48] S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-19 20:50:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-19 20:54:53 ComboFix-quarantined-files.txt 2008-08-20 00:54:48 ComboFix2.txt 2008-08-19 01:05:36 Pre-Run: 14,111,641,600 bytes free Post-Run: 14,100,910,080 bytes free 142 --- E O F --- 2008-08-19 23:32:46 Avira AntiVir Personal Report file date: Tuesday, August 19, 2008 21:26 Scanning for 1563576 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 3) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: OFFICE Version information: BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00 AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53 AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34 ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15 ANTIVIR2.VDF : 7.0.6.10 2587136 Bytes 8/14/2008 01:22:22 ANTIVIR3.VDF : 7.0.6.38 175104 Bytes 8/19/2008 01:22:24 Engineversion : 8.1.1.23 AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 14:46:50 AESCRIPT.DLL : 8.1.0.68 315770 Bytes 8/20/2008 01:22:38 AESCN.DLL : 8.1.0.23 119156 Bytes 8/20/2008 01:22:37 AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 14:46:50 AEPACK.DLL : 8.1.2.1 364917 Bytes 8/20/2008 01:22:36 AEOFFICE.DLL : 8.1.0.22 192890 Bytes 8/20/2008 01:22:34 AEHEUR.DLL : 8.1.0.50 1388918 Bytes 8/20/2008 01:22:33 AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 14:46:50 AEGEN.DLL : 8.1.0.36 315764 Bytes 8/20/2008 01:22:28 AEEMU.DLL : 8.1.0.7 430452 Bytes 8/20/2008 01:22:27 AECORE.DLL : 8.1.1.8 172406 Bytes 8/20/2008 01:22:25 AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 14:50:42 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 8/20/2008 01:22:24 AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Tuesday, August 19, 2008 21:26 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'hpswp_clipbook.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'hpotbx05.exe' - '1' Module(s) have been scanned Scan process 'hpqste08.exe' - '1' Module(s) have been scanned Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned Scan process 'ISW.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 32 processes with 32 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! [WARNING] System error [21]: The device is not ready. Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '63' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Deckard\System Scanner\20080818210922\backup\DOCUME~1\Jim\LOCALS~1\Temp\abc1231xHT.exe [DETECTION] Is the TR/Dldr.ConHook.BJ Trojan [NOTE] The file was moved to '490e7376.qua'! C:\Deckard\System Scanner\20080818210922\backup\DOCUME~1\Jim\LOCALS~1\Temp\wgve2.exe [DETECTION] Is the TR/Fakealert.ZV.1 Trojan [NOTE] The file was moved to '492173b1.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to '49027443.qua'! C:\Documents and Settings\Jim\Desktop\[4]-Submit_2008-08-19@20.46.zip C:\Documents and Settings\Jim\Desktop\[4]-Submit_2008-08-19@20.46.zip [0] Archive type: ZIP --> zgyhw.dll [DETECTION] Is the TR/Fakealert.ZV Trojan [NOTE] The file was moved to '490874ad.qua'! C:\Program Files\Applications\wcm.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '491876e9.qua'! C:\QooBox\Quarantine\catchme2008-08-18_203922.29.zip [0] Archive type: ZIP --> 995937.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '491f79b7.qua'! C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\995937\995937.dll.vir [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48e079a8.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162033.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc79f0.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162034.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc79f3.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162035.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc79f5.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162070.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc79fa.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162071.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc79fc.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162072.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc79ff.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165867.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7aa2.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165868.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7aa4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165869.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7aa6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165905.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7aab.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165906.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7aad.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165907.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7aaf.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165926.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7ab2.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165927.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ab4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165928.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ab6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165967.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ad4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165968.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7ad6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165969.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ad8.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1719\A0166092.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ae0.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166118.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ae4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166119.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ae6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166123.exe --> Object [1] Archive type: RSRC --> Object [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan --> Object [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ae8.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166169.dll [DETECTION] Is the TR/Drop.Zlob.IJ.2 Trojan [NOTE] The file was moved to '48dc7aef.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1721\A0166194.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48dc7af3.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1721\A0167217.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48dc7af7.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1726\A0167519.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48dc7b12.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167534.exe [DETECTION] Is the TR/Dldr.ConHook.BJ Trojan [NOTE] The file was moved to '48dc7b16.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167535.exe [DETECTION] Is the TR/Fakealert.ZV.1 Trojan [NOTE] The file was moved to '48dc7b19.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167536.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7b1b.qua'! End of the scan: Tuesday, August 19, 2008 22:18 Used time: 51:50 Minute(s) The scan has been done completely. 4931 Scanning directories 220696 Files were scanned 37 viruses and/or unwanted programs were found 1 Files were classified as suspicious: 0 files were deleted 0 files were repaired 36 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 220656 Files not concerned 5694 Archives were scanned 3 Warnings 36 Notes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:40:26 PM, on 8/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\HPOTBX05.EXE C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6346 bytes The computer is running much better. I don't have the pop ups or warnings anymore. Is there a antivirus that you recommend or is the Antivir a good one? Thank you for your help. You have saved me. Let me know what else to do. |
|
|
|
|
08-20-2008, 04:30 AM
|
#11 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Hello again
Looking much better. You can delete [4]-Submit_2008-08-19@20.46.zip from your desktop, files uploaded successfully, thank you. Quote:
========= You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that it can be used to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!
Microsoft Windows XP Professional
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Even though you SP3 installed, install the recovery console that matches your operating system. ========== Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========== JAVA OUTDATED Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
=========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. =========== Logs Required CF_RC.txt C:\Combofix.txt Hijackthis Log |
||
|
|
|
|
08-20-2008, 08:46 PM
|
#12 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
I did not save the CF_RC.txt file. Is there a way I can find it? Also I could not find the file in Desktop [4]-Submit_2008-08-19@20.46.zip. Was it a log? If so, I did delete it.
ComboFix 08-08-19.06 - Jim 2008-08-20 23:03:12.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.70 [GMT -4:00] Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jim\Desktop\CFscript.txt * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\PROGRA~1\SYMNET~1 C:\PROGRA~1\SYMNET~1\SNDWarn.exe C:\Program Files\AT&T\Internet Security Wizard C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe C:\Program Files\AT&T\Internet Security Wizard\log4cplus.properties C:\Program Files\AT&T\Internet Security Wizard\resources\application.ico C:\Program Files\AT&T\Internet Security Wizard\RpSpaWshComAgent.dll C:\Program Files\AT&T\Internet Security Wizard\StopATTInternetSecurityWizard.exe C:\Program Files\AT&T\Internet Security Wizard\unins000.exe . ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 ))))))))))))))))))))))))))))))) . 2008-08-20 22:24 . 2008-08-20 22:26 <DIR> d-------- C:\Combo-Fix 2008-08-19 21:20 . 2008-08-19 21:20 <DIR> d-------- C:\Program Files\Avira 2008-08-19 21:20 . 2008-08-19 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-08-18 21:10 . 2008-08-18 21:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll 2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll 2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo 2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security 2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-08-09 01:42 . 2008-08-19 21:42 <DIR> d-------- C:\Program Files\Applications . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-21 03:03 --------- d-----w C:\Program Files\AT&T 2008-08-21 02:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp 2008-08-20 00:41 --------- d-----w C:\Documents and Settings\Jim\Application Data\HPAppData 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll 2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk 2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT 2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Program Files\Applications ---- ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497] "nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48] S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc *Newly Created Service* - CATCHME . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISW.exe - C:\Program Files\AT&T\Internet Security Wizard\ISW.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-20 23:04:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-20 23:09:43 ComboFix-quarantined-files.txt 2008-08-21 03:09:39 ComboFix2.txt 2008-08-21 02:50:20 ComboFix3.txt 2008-08-20 00:54:54 ComboFix4.txt 2008-08-19 01:05:36 Pre-Run: 14,366,507,008 bytes free Post-Run: 14,346,936,320 bytes free 150 --- E O F --- 2008-08-19 23:32:46 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:36:34 PM, on 8/20/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("Cdavis15103.aim.session.autologin", false); user_pref("Cdavis15103.aim.session.connectionname", "AIM"); user_pref("Cdavis15103.aim.session.password", "0"); user_pref("Cdavis15103.aim.session.storepassword", false); user_pref("__000.aim.general.im.enterCR", false); user_pref("__000.aim.general.im.tabKey", false); user_pref("__000.aim.general.im.timeStamp", false); user_pref("__000.aim.session.listonly", false); user_pref("aim.session.finishedwizard", true); user_pref("aim.session.firsttime", false); user_pref("aim.session.latestaimscreenname", "Cdavis15103"); user_pref("aim.session.screenname", "Cdavis15103"); user_pref("browser.activation.c N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("Cdavis15103.aim.session.autologin", false); user_pref("Cdavis15103.aim.session.connectionname", "AIM"); user_pref("Cdavis15103.aim.session.password", "0"); user_pref("Cdavis15103.aim.session.storepassword", false); user_pref("__000.aim.general.im.enterCR", false); user_pref("__000.aim.general.im.tabKey", false); user_pref("__000.aim.general.im.timeStamp", false); user_pref("__000.aim.session.listonly", false); user_pref("aim.session.finishedwizard", true); user_pref("aim.session.firsttime", false); user_pref("aim.session.latestaimscreenname", "Cdavis15103"); user_pref("aim.session.screenname", "Cdavis15103"); user_pref("browser.activation.c O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7978 bytes |
|
|
|
|
08-21-2008, 05:45 AM
|
#13 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Hello again
Quote:
Quote:
=========== Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. ========= You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:. ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Log Required Hijackthis Log |
||
|
|
|
|
08-21-2008, 06:41 AM
|
#14 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
I do see the option for the recovery console at start up. I will check for that one entry tonight. Is the windows firewall ok or should I us one that you suggest? Thanks
|
|
|
|
|
08-21-2008, 06:49 AM
|
#15 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Windows firewall only gives inbound protection, if you are infected windows firewall cannot stop it from sending out any data to their servers, the two firewall`s i have suggested will offer inbound and outbound protection.
|
|
|
|
|
08-21-2008, 12:18 PM
|
#16 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:37 PM, on 8/21/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\MsiExec.exe C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe C:\WINDOWS\system32\MsiExec.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("Cdavis15103.aim.session.autologin", false); user_pref("Cdavis15103.aim.session.connectionname", "AIM"); user_pref("Cdavis15103.aim.session.password", "0"); user_pref("Cdavis15103.aim.session.storepassword", false); user_pref("__000.aim.general.im.enterCR", false); user_pref("__000.aim.general.im.tabKey", false); user_pref("__000.aim.general.im.timeStamp", false); user_pref("__000.aim.session.listonly", false); user_pref("aim.session.finishedwizard", true); user_pref("aim.session.firsttime", false); user_pref("aim.session.latestaimscreenname", "Cdavis15103"); user_pref("aim.session.screenname", "Cdavis15103"); user_pref("browser.activation.c N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("Cdavis15103.aim.session.autologin", false); user_pref("Cdavis15103.aim.session.connectionname", "AIM"); user_pref("Cdavis15103.aim.session.password", "0"); user_pref("Cdavis15103.aim.session.storepassword", false); user_pref("__000.aim.general.im.enterCR", false); user_pref("__000.aim.general.im.tabKey", false); user_pref("__000.aim.general.im.timeStamp", false); user_pref("__000.aim.session.listonly", false); user_pref("aim.session.finishedwizard", true); user_pref("aim.session.firsttime", false); user_pref("aim.session.latestaimscreenname", "Cdavis15103"); user_pref("aim.session.screenname", "Cdavis15103"); user_pref("browser.activation.c O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8797 bytes |
|
|
|
|
08-21-2008, 02:19 PM
|
#17 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
Hello again
I notice you have AskSBar in your Hijackthis log, AskBar is advertising related, so it is considered adware and may be causing popup windows on your computer. Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: AskSBar ======= Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\AskSBar ======= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======= Logs Required Hijackthis Log |
|
|
|
|
08-21-2008, 04:06 PM
|
#18 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
I started having windows installer try to install Publisher 21 program. It is a printing program that lets you make all kinds of things. The only problem is that I installed that program over a month ago. Do you think that it is trying to install something else or is it ok to let it install? I will delete that AskSBar when I get home.
|
|
|
|
|
08-21-2008, 04:18 PM
|
#19 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 4,452
OS: XP
|
Re: Multiple pop ups and spyware problems
I`ve had this happen to myself at times, i stopped the windows installer service and set it to manual and i have never encounter that problem again.
Click start> run> type services.msc Locate windows installer In the startup type box change to manual Then click on the stop button Click apply and ok |
|
|
|
|
08-21-2008, 06:08 PM
|
#20 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 12
OS: XP service pack 2
|
Re: Multiple pop ups and spyware problems
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:45 PM, on 8/21/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("Cdavis15103.aim.session.autologin", false); user_pref("Cdavis15103.aim.session.connectionname", "AIM"); user_pref("Cdavis15103.aim.session.password", "0"); user_pref("Cdavis15103.aim.session.storepassword", false); user_pref("__000.aim.general.im.enterCR", false); user_pref("__000.aim.general.im.tabKey", false); user_pref("__000.aim.general.im.timeStamp", false); user_pref("__000.aim.session.listonly", false); user_pref("aim.session.finishedwizard", true); user_pref("aim.session.firsttime", false); user_pref("aim.session.latestaimscreenname", "Cdavis15103"); user_pref("aim.session.screenname", "Cdavis15103"); user_pref("browser.activation.c N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("Cdavis15103.aim.session.autologin", false); user_pref("Cdavis15103.aim.session.connectionname", "AIM"); user_pref("Cdavis15103.aim.session.password", "0"); user_pref("Cdavis15103.aim.session.storepassword", false); user_pref("__000.aim.general.im.enterCR", false); user_pref("__000.aim.general.im.tabKey", false); user_pref("__000.aim.general.im.timeStamp", false); user_pref("__000.aim.session.listonly", false); user_pref("aim.session.finishedwizard", true); user_pref("aim.session.firsttime", false); user_pref("aim.session.latestaimscreenname", "Cdavis15103"); user_pref("aim.session.screenname", "Cdavis15103"); user_pref("browser.activation.c O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\RunOnce: [AskSBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8457 bytes |
|
|
|
| Thread Tools | |
|
|
