Multiple pieces of Malware/Adware/Spyware...

Ei8htBall1989 · 01-03-2006, 02:06 PM

Well, I'm trying to fix the family computer. It has been acting funny for awhile, but I haven't had the time to work on it until recently.

It's bad. Really bad. Up until now, my parents have insisted on using Norton, because "it's from a reputable company" (meaning they can go into a store and buy a box)... I don't use the computer much, but started to get suspicious that there was a problem when my Mother kept complaining that "Norton wouldn't update", I wasn't exactly sure what she meant, but when I tried it myself, it just didn't update...

I got a variety of error messages (practically a different one each time), so I gave up and went to my two favorite programs, AVG and Avast! [although I'm always looking for suggestions] which proceded to find several instances of "lop" among other viruses, trojans, and worms (I can't remember anything more specific than lop, sorry), I proceded to let the programs decide the best course of action for cleaning, and all seemed well.

I then ran my 2 favorite Anti-Ad/spyware programs; Spybot S+D and Ad-aware... they turned up hundreds (when added together it may have broken 1000) of files, again, I went ahead and deleted all of them (I did check to make sure there wasn't anything I recognized as being important)...

Everything went well for a few days, until it happened again; Norton couldn't update... I scanned again, found "lop" again, along with a pleathora (sp?) of viruses/torjans/worms and ad/spyware...

I followed the same steps again (I knew deep down that it wasn't going to work, but I did it anyway), and the same result... lop was back, along with it's buddies (I keep bringing up lop, because it's the only one that was consistantly detected on almost every scan...)

Now it was time to ask for help... I had a few of my friends refer me to their favorite online scanning tools, and ran those (the list was very simmilar to the one in "First Steps at Removing the Malware and Posting your Log")... I ran them, got rid of anthing detected, but something wasn't right...

One of my friends then recommended this site. I visited (found the previously mentioned "First Steps at Removing the Malware and Posting your Log" and followed the instrutions) then downloaded HJT, and ran it (the log is below).
That's about everything (I tried to keep it reasonably short without leaving anything out, but I'm not sure if I succedded)...

Thanks,
Zach
(I hope that made sense. If you need me to clarify anything, just ask)

--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:54:15 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08857C95-5210-DD69-CAA5-543F490B51D0} - C:\PROGRA~1\STOPME~1\logo trans.exe (file missing)
O2 - BHO: (no name) - {53468933-CFCE-D931-9C9C-4FD98DDEC91C} - C:\DOCUME~1\ELIZAB~1\APPLIC~1\STOPME~1\logo trans.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe
O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://goinnow.com/tl7000.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe
--------------------------------------------------

Ried · 01-04-2006, 01:49 PM

Hello Ei8htBall1989 and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download fl.zip.
Extract the contents to a new folder on Desktop. Do not run it yet.

---------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

STOPME~1
AdwareFilterToolBar

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {08857C95-5210-DD69-CAA5-543F490B51D0} - C:\PROGRA~1\STOPME~1\logo trans.exe (file missing)
O2 - BHO: (no name) - {53468933-CFCE-D931-9C9C-4FD98DDEC91C} - C:\DOCUME~1\ELIZAB~1\APPLIC~1\STOPME~1\logo trans.exe (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe this is a key logger program--only fix if you did not install yourself. See this site: http://www.auditmypc.com/process/bpk.asp
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://goinnow.com/tl7000.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Folders if they still exist.

C:\PROGRA~1\ STOPME~1
C:\Program Files\ AdwareFilterToolBar
C:\DOCUME~1\ZACHSH~1\APPLIC~1\ MEMOEA~1

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Reboot into Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

Go to the fl.zip you downloaded earlier. Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

Ei8htBall1989 · 01-05-2006, 05:51 AM

I did notice that a few of the HJT things you had me 'fix' came back... in the future, do you want me to try fixing them again, or just leave them alone (like I did this time)?

I think I copied in all of the logs you asked for, if not, let me know.

When removing programs, I found AdwareFilterToolBar, but not STOPME~1

The following were not found by HJT when I ran the scan in safe mode:
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe

When trying to fix 'O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing', I received the error message
"HijackThis cannot repair O10 Winsock LSP entries.
You should use LSPFix for that, which is availale form http://www.cexx.org/lspfix.htm.

If the O10 item belongs to WebHancer, New.Net or CommonName, Spybot S&D can
remove it automatically. Spybot S&D is available from http://www.spybot.info."
There was only One option, OK.

None of the 3 folders listed exist.

During the Panda Active Scan, I received some strange error messages, one was asking for a microsoft outlook profile name and the other was a "could not connect to server" messag asking if i wanted to try again or work offline. Neither seemed to interfere with the scan though...

-- Panda Log --

Incident Status Location

Adware:adware/ncase Not disinfected C:\WINDOWS\SYSTEM32\saie_gdf.dat
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\dialers
Adware:adware/ist.istbar Not disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware/wintools Not disinfected Windows Registry
Dialer:dialer.bb Not disinfected HKEY_CLASSES_ROOT\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791}
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@mediaplex[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@tribalfusion[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.ask.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.perf.overture.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.2o7.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.advertising.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.centrport.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.advertising.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.sexlist.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.paycounter.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.zedo.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.hitbox.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[searchportal.information.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.bravenet.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.revenue.net/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.maxserving.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.casalemedia.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/SAHAgent Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[www.shopathomeselect.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.qksrv.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.gamearena.com.au/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.serving-sys.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[.gostats.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Elizabeth Shepherd\Application Data\Mozilla\Firefox\Profiles\default.vvf\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth Shepherd\Application Data\Mozilla\Firefox\Profiles\default.vvf\cookies.txt[687358]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth Shepherd\Application Data\Mozilla\Firefox\Profiles\default.vvf\cookies.txt[]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Pam Shepherd\Application Data\Mozilla\Firefox\Profiles\default.w0f\cookies.txt[]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Memo Each Face\xrdcirpy.exe
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Zach Shepherd\Application Data\Mozilla\Firefox\Profiles\default.ezo\cookies.txt[]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@mediaplex[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Zach Shepherd\Cookies\zach shepherd@tribalfusion[2].txt
Virus:4096 Renamed C:\Documents and Settings\Zach Shepherd\Desktop\not used alot\8-22-05\COMPLETE USB BACKUP\PortableApps\PortableSunbird\sunbird\chrome\calendar.jar[selectAddressesDialog.js]
Virus:4096 Renamed C:\Documents and Settings\Zach Shepherd\Desktop\USB BACKUP\PortableApps\PortableSunbird\sunbird\chrome\calendar.jar[selectAddressesDialog.js]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe[bsdhooks.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe[web.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe[bpk.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe[rinst.exe]
Possible Virus. Not disinfected C:\I386\AolCoach.cab[ACHtmfu.dll]
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc13\plugin\viewchmhlp\hh.exe
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc13\plugin\winaudit\WinAudit.exe
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc19.exe[hh.exe]
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc19.exe[WinAudit.exe]
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc9\viewchmhlp\hh.exe
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc9\winaudit\WinAudit.exe
Spyware:Cookie/2o7.net Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1008\Dc2.txt
Spyware:Cookie/Adserver Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1008\Dc22.txt
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1008\Dc5.txt
Spyware:Cookie/Lop Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1008\Dc7.txt
Spyware:Cookie/FastClick Not disinfected C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1008\Dc8.txt
Possible Virus. Not disinfected C:\Sierra\Counter-Strike\cstrike\OGC_Re_2.5.rar[0gc_re.exe]
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\AolCoach.cab[ACHtmfu.dll]
Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\MAC T 0.0.6.6\~0000001.~
Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Language\~0000001.~
Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\MAC T 6.6.b.c\~0000001.~
Virus:W32/Netsky.Z.worm Disinfected Local Folders\Deleted Items\failure notice\~0000000.~[Informations.txt .exe]
Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Japanese lass' sexy pictures\~0000001.~
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected Local Folders\Sent Items\inst_Ally Alert 30.exe[bsdhooks.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected Local Folders\Sent Items\inst_Ally Alert 30.exe[web.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected Local Folders\Sent Items\inst_Ally Alert 30.exe[bpk.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected Local Folders\Sent Items\inst_Ally Alert 30.exe[rinst.exe]

---------------

--- Findlop ---

Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Administrator\Application Data

05/20/2005 08:09 PM <DIR> Gtek
10/25/2002 09:11 AM <DIR> Identities
11/13/2005 07:13 PM <DIR> Memo Each Face
04/10/2005 02:15 PM <DIR> Mozilla
10/25/2002 09:55 AM <DIR> Symantec
0 File(s) 0 bytes
5 Dir(s) 27,465,646,080 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\All Users\Application Data

10/23/2004 09:37 PM <DIR> Adobe
01/02/2006 11:47 AM <DIR> Avg7
10/25/2002 09:43 AM <DIR> BVRP Software
10/25/2002 09:41 AM <DIR> Dell
08/25/2003 02:21 PM 13 DirectCDUserNameE.txt
02/07/2004 11:47 AM <DIR> Kazaa Lite
11/13/2005 07:14 PM <DIR> LICENSE WIN AXIS ONE
03/31/2003 09:10 PM <DIR> Macromedia
07/30/2003 05:09 PM <DIR> MSN Messenger 6.0.0602
11/02/2002 03:50 PM <DIR> MSN6
11/22/2004 04:49 PM <DIR> nView_Profiles
04/25/2003 07:26 PM <DIR> QuickTime
10/25/2002 09:39 AM <DIR> SBSI
01/02/2006 02:28 PM <DIR> Spybot - Search & Destroy
02/22/2005 10:57 AM <DIR> Symantec
11/17/2005 06:15 PM <DIR> Viewpoint
1 File(s) 13 bytes
15 Dir(s) 27,465,641,984 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Elizabeth Shepherd\Application Data

03/01/2003 07:37 AM <DIR> Adobe
10/02/2004 09:15 AM <DIR> Aim
05/21/2005 07:51 AM <DIR> Gtek
12/15/2002 05:45 PM <DIR> Help
11/11/2003 03:17 PM <DIR> ICQ
10/25/2002 09:11 AM <DIR> Identities
11/16/2004 12:57 PM <DIR> Lavasoft
08/24/2005 06:48 PM <DIR> Macromedia
11/13/2005 07:15 PM <DIR> Memo Each Face
08/24/2004 09:05 PM <DIR> Mozilla
08/04/2003 08:25 AM <DIR> Real
11/13/2005 07:13 PM <DIR> Stop meta
10/09/2005 10:23 AM <DIR> Sun
02/14/2005 04:47 PM <DIR> Symantec
08/24/2004 09:05 PM <DIR> Talkback
0 File(s) 0 bytes
15 Dir(s) 27,465,641,984 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Guest\Application Data

05/20/2005 08:09 PM <DIR> Gtek
10/25/2002 09:11 AM <DIR> Identities
11/13/2005 07:13 PM <DIR> Memo Each Face
10/26/2003 12:30 PM <DIR> Real
10/25/2002 09:55 AM <DIR> Symantec
0 File(s) 0 bytes
5 Dir(s) 27,465,641,984 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Pam Shepherd\Application Data

10/28/2005 07:57 PM <DIR> Adobe
11/26/2005 04:16 PM <DIR> AdobeUM
10/05/2004 07:49 PM <DIR> Aim
11/06/2002 06:51 PM 0 dm.ini
01/01/2003 01:50 PM <DIR> eGames
09/08/2005 09:06 PM 101,048 GDIPFONTCACHEV1.DAT
11/02/2002 01:21 PM <DIR> Help
11/11/2003 06:21 PM <DIR> ICQ
11/12/2002 04:39 PM <DIR> Identities
11/06/2002 06:52 PM <DIR> InterTrust
11/19/2004 08:17 PM <DIR> Lavasoft
02/17/2004 07:49 PM <DIR> Macromedia
10/28/2005 05:45 PM <DIR> Memo Each Face
08/25/2004 07:37 AM <DIR> Mozilla
08/04/2005 07:01 PM 27,217 Personal Address Book.ADR
08/01/2003 08:19 PM <DIR> Real
11/22/2005 03:06 PM <DIR> Sun
02/14/2005 07:33 PM <DIR> Symantec
08/25/2004 07:37 AM <DIR> Talkback
01/04/2006 07:05 PM <DIR> WeatherBug
3 File(s) 128,265 bytes
17 Dir(s) 27,465,637,888 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Zach Shepherd\Application Data

09/18/2005 11:25 AM <DIR> .BitTornado
12/07/2004 09:35 AM <DIR> Adobe
09/04/2005 08:32 PM <DIR> AdobeUM
10/02/2004 08:25 AM <DIR> Aim
04/01/2003 04:48 PM <DIR> Alien Skin
10/23/2004 09:35 PM 0 dm.ini
09/19/2005 06:54 AM 101,048 GDIPFONTCACHEV1.DAT
11/06/2002 04:06 PM <DIR> Help
11/11/2003 09:51 AM <DIR> ICQ
01/08/2003 08:29 PM <DIR> Identities
03/14/2004 02:54 PM <DIR> Kontiki
01/02/2006 11:57 AM <DIR> Lavasoft
04/01/2003 04:04 PM <DIR> Macromedia
01/02/2006 06:26 PM <DIR> Memo Each Face
08/24/2004 08:58 PM <DIR> Mozilla
05/28/2004 10:42 AM <DIR> MSN6
10/24/2004 01:13 PM <DIR> pdf995
05/30/2004 03:53 PM <DIR> Real
01/02/2006 06:26 PM <DIR> Stop meta
09/19/2005 08:53 AM <DIR> Sun
09/20/2005 06:37 PM 83 sversion.ini
02/22/2005 10:36 AM <DIR> Symantec
08/24/2004 08:58 PM <DIR> Talkback
09/25/2005 01:33 PM <DIR> teamspeak2
10/12/2004 05:04 PM <DIR> Ventrilo
06/08/2004 07:23 PM <DIR> Xfire
3 File(s) 101,131 bytes
23 Dir(s) 27,465,637,888 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Default User\Application Data

10/25/2002 09:57 AM <DIR> .
10/25/2002 09:57 AM <DIR> ..
08/31/2001 08:53 AM 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 27,465,637,888 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A0A9CD9D91A67E41.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/14/2004 22:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/27/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'A247B21990102599.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/23/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'A327A5AF90005FEB.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/18/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'A6B728339198A08B.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/20/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'A8938F6D91E803AD.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/15/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'A93CFA75916F7919.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/14/2004 22:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/07/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'AB5B0A71912C808D.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/23/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'AC5C03A29357BD96.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\zachsh~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/03/2005 17:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/01/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Ad-Aware SE Personal.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe'
Parameters: ''
WorkingDirectory: 'C:\PROGRA~1\Lavasoft\AD-AWA~1'
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/19/2005 18:00:00
NextRun: 01/09/2006 18:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 1
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 11/09/2004
EndDate: 00/00/0000
StartTime: 18:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'AD2A1D12918592DA.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/10/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'AF47999291980B32.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/24/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'AFFCA9F091875B0C.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\elizab~1\applic~1\memoea~1\AtomPop2.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Elizabeth Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2005 16:00:00
NextRun: 01/05/2006 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/09/2000
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'dfrg.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\defrag.exe'
Parameters: 'c:'
WorkingDirectory: 'C:\WINDOWS\System32'
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/19/2005 20:00:00
NextRun: 01/09/2006 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 11/09/2004
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Norton AntiVirus - Scan my computer - Zach Shepherd.job
'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe'
Parameters: '/task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
WorkingDirectory: ''
Comment: 'This is a schedule scan task from Norton AntiVirus.'
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/09/2005 20:00:00
NextRun: 01/06/2006 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 02/22/2005
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec Drmc.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe'
Parameters: ' /CUSTOM /SCHEDULE'
WorkingDirectory: ''
Comment: ''
Creator: 'Pam Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 30
IdleDeadline: 0
MostRecentRun: 09/04/2005 0:00:02
NextRun: 01/06/2006 0:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/14/2005
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/05/2006 8:40:00
NextRun: 01/05/2006 8:45:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 01/05/2006
EndDate: 00/00/0000
StartTime: 08:15
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

---------------

----- HJT -----

anLogfile of HijackThis v1.99.1
Scan saved at 8:45:57 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

---------------

Ried · 01-05-2006, 07:28 AM

Hi,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe . Do not run it yet.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

---------------------------

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CLASSES_ROOT\TypeLib\ {CED445E2-8C78-4F40-87D7-F7FB6F1B6791}

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

---------------------------

Click on the Start button & select Run
Type in tasks & click Ok
In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks'

Delete the following Tasks:

A0A9CD9D91A67E41.job
A247B21990102599.job
A327A5AF90005FEB.job
A6B728339198A08B.job
A8938F6D91E803AD.job
A93CFA75916F7919.job
AB5B0A71912C808D.job
AC5C03A29357BD96.job
AD2A1D12918592DA.job
AF47999291980B32.job
AFFCA9F091875B0C.job

---------------------------

Instructions for using LSPFix

Double click on LSPFix.exe to run it.
Once running, you will be required to tick the disclaimer - "I know what I'm doing".
You'll find a window with 2 panes,if there is any thing in the remove pane please put it back into the keep pane.
Now highlight any instances of 'xfire_lsp_10650.dll'
Then click on the arrow pointing to the right, >>.
This will move the entry to the right pane labeled Remove
Click the Finish button to complete the fix.

---------------------------

Still from Normal Mode:

Run a scan in HijackThis. 'Check' each of the following if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files and Folders if they still exist.

C:\WINDOWS\SYSTEM32\ saie_gdf.dat
C:\PROGRAM FILES\ dialers
C:\PROGRAM FILES\COMMON FILES\ Totem Shared
C:\Documents and Settings\Administrator\Application Data\ Memo Each Face
C:\Documents and Settings\Elizabeth Shepherd\Application Data\ Stop meta
C:\Documents and Settings\Elizabeth Shepherd\Application Data\ Memo Each Face
C:\Documents and Settings\Pam Shepherd\Application Data\ Memo Each Face
C:\Documents and Settings\Zach Shepherd\Application Data\ Memo Each Face
C:\Documents and Settings\Zach Shepherd\Application Data\ Stop meta

---------------------------

Clear your Mozilla cookies:

Open Mozilla>Tools>Options>Privacy
Click on Cookies
Click the Clear button.
Click OK

Reboot your system and run an online scan at Kaspersky:

Perform an online scan using Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
Now under select a target to scan:
*Select My Computer
This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button:
*Save the file to your desktop.
Copy and paste that information in your next post along with a new HijackThis log.

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

Ei8htBall1989 · 01-05-2006, 01:52 PM

I successfully disabled TeaTimer.

There was no problem deleting the folder in the registry.

There was no problem deleting the tasks.

LSPFix worked fine.

HJT found all 4 keys, and successfully fixed them.

I found C:\WINDOWS\SYSTEM32\saie_gdf.dat and deleted that (there was also a saie_kyf.dat (8,607k), but I left that alone)
I found and deleted the [empty] C:\PROGRAM FILES\dialers folder.
I found and deleted the C:\PROGRAM FILES\COMMON FILES\Totem Shared folder.
I found and deleted the [empty] C:\Documents and Settings\Administrator\Application Data\Memo Each Face folder.
I found and deleted the [empty] C:\Documents and Settings\Elizabeth Shepherd\Application Data\Stop meta folder.
I found and deleted the [empty] C:\Documents and Settings\Elizabeth Shepherd\Application Data\Memo Each Face folder.
I found and deleted the [empty] C:\Documents and Settings\Pam Shepherd\Application Data\Memo Each Face folder.
I found and deleted the [empty] C:\Documents and Settings\Zach Shepherd\Application Data\Stop meta folder.
I found and deleted the C:\Documents and Settings\Zach Shepherd\Application Data\Memo Each Face folder.

--Zach

-- Kaspersky --

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, January 05, 2006 16:44:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 5/01/2006
Kaspersky Anti-Virus database records: 159033
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 170883
Number of viruses found: 12
Number of infected objects: 74
Number of suspicious objects: 0
Duration of the scan process: 8248 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Zach Shepherd\Desktop\not used alot\Adobe_PageMaker_v7.0_Keygen_by_Noutek_Systems\KeyGen.exe Infected: Backdoor.Win32.Rbot.amm
C:\Documents and Settings\Zach Shepherd\Desktop\not used alot\Adobe_PageMaker_v7.0_Keygen_by_Noutek_Systems.zip/KeyGen.exe Infected: Backdoor.Win32.Rbot.amm
C:\Documents and Settings\Zach Shepherd\Desktop\not used alot\Adobe_PageMaker_v7.0_Keygen_by_Noutek_Systems.zip Infected: Backdoor.Win32.Rbot.amm
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:09:00 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:09:00 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:34:42 -0700]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:34:42 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Service <service@paypal.com>][Date Wed, 03 Aug 2005 00:44:17 +0300]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Service <service@paypal.com>][Date Wed, 03 Aug 2005 00:44:17 +0300]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From Bernardo Reyna <breyna_ed@estee-lauder.co.uk>][Date Thu, 04 Aug 2005 15:15:06 +0000]/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Fri, 05 Aug 2005 19:58:37 +0300]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Fri, 05 Aug 2005 19:58:37 +0300]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <aeijp@verizon.net>][Date Fri, 05 Aug 2005 21:49:16 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <aeijp@verizon.net>][Date Fri, 05 Aug 2005 21:49:16 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Sat, 06 Aug 2005 16:19:55 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal Security Department <service@paypal.com>][Date Sat, 06 Aug 2005 16:19:55 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.ez
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/bsdhooks.dll Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/web.dll Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/bpk.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/rinst.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe/bsdhooks.dll Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe/web.dll Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe/bpk.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe/rinst.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\Program Files\Diablo II\Incoming files\master.zip/MU.DLL Infected: Backdoor.Win32.Rbot.amm
C:\Program Files\Diablo II\Incoming files\master.zip/D2master.exe Infected: Backdoor.Win32.Rbot.amm
C:\Program Files\Diablo II\Incoming files\master.zip Infected: Backdoor.Win32.Rbot.amm
C:\Program Files\Diablo II\master\D2master.exe Infected: Backdoor.Win32.Rbot.amm
C:\Program Files\Diablo II\master\MU.DLL Infected: Backdoor.Win32.Rbot.amm
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E0E30B0.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E115AAD.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E3C7C7E.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E3F267A.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E5D205A.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED916D4.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F89370F.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F8C610C.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10D864FA.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\14A7128C.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1BC86488.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1CCE1700.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1DFA7D64.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F85CF7.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47126AAF.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F4715C Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F81B58.com Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A2A14B2.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6DC13AF6.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\75BA50B1.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP124\A0017863.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP124\A0017864.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP124\A0017865.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019972.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019975.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019985.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019986.exe Infected: Trojan-Downloader.Win32.Swizzor.co

Scan process completed.

---------------
----- HJT -----

Logfile of HijackThis v1.99.1
Scan saved at 4:48:58 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

---------------
-- Uninstall --

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe InDesign CS Time Limited Trial
Adobe PageMaker 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Adobe Reader for Pocket PC 2.0
AIM+ (remove only)
All Mobile Casino (remove only)
AltoMP3 Maker 3.20
American Greetings CreataCard Select 6
AOL Instant Messenger
AutoREALM Version 1.20a
Battle.net Buddy Monitor
BF Mines (remove only)
BitTornado 0.3.7
BitTorrent 3.3
Bounce!
CAD 3D
Carmen Sandiego Math Detective
CC_ccProxyExt
CC2-Pro
CC2-Pro Demo
ccCommon
ccPxyCore
CD to MP3 Maker 1.21
Cheating-Death 4.17.1
Classic PhoneTools
CleanUp!
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
D&D Character Generator Demo
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Dell Support 5.0.0 (766)
Dell TM WLAN Card
Digital Line Detect
Easy CD Creator 5 Basic
Elastic Software Favorite Card Games 2
FastCAD
FastCAD Demo
Faster Tools
Half-Life
Half-Life: Blue Shift
Half-Life: Counter-Strike
Half-Life: Opposing Force
HijackThis 1.99.1
HLSW v1.0.0.44
Hoyle Board Games 5
Hoyle Card Games 4
Hoyle Word Games 3
IconPackager
ICQ
Inside the SAT '97 Edition
Intel RSX 3D
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
InterActual Player
IomegaWare for Windows NT
J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment Standard Edition v1.3.1_01
Kaspersky On-line Scanner
K-Lite Codec Pack 2.34 Full
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Media Library Management Wizard
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office 97, Professional Edition
Microsoft Outlook 2002
Microsoft Picture It! Photo 2002
Microsoft Streets and Trips 2002
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft® Measurement Smart Tag Converter
Modem Helper
Monopoly
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (1.0.7)
MS F1 the Office Assistant (Remove only)
MSN Messenger 6.0
MSRedist
MSRedist
MUSICMATCH Jukebox
MUSTEK 1200 CU v2.0a
Network Play System (Patching)
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Password Manager
Norton Password Manager (Symantec Corporation)
Norton WMI Update
Norton WMI Update
Norton WMI Update
NPM_DRM_COLLECTION
NVIDIA Display Driver
NVIDIA Drivers
Paint Shop Pro 7
Panda ActiveScan
Patiences
Personal License Update Wizard for Windows Media Player
Plus! MP3 Audio Converter LE
PowerDVD
Project: Guilty Mission 1 v1.1
QuickTime
Radio@Netscape
RealPlayer
Roll
Salt Lake 2002
Scrabble
Secure Delivery
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Shockwave
Sid Meier's SimGolf
SideWinder Game Pad Pro
Sierra Utilities
Solitaire Master 3
Sound Blaster Live! Value
SPBBC
Spybot - Search & Destroy 1.4
Starcraft
StarCraft X-tra Editor Version 2.5
StarDraft Setup
Steam
SureThing CD Labeler - First Edition
Sven Co-op 3.0
Symantec Script Blocking Installer
SymNet
TeamSpeak 2 RC2
The Game Of Life
The Sims 2
The Sims Unleashed
Theme Generator
Theme Manager
ThemeManager
thirdedition
TI Connect(TM) 1.3
TI-Black Link
TI-Graph Link 83 Plus
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Ventrilo
Video Professor
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Vorwerk&Stengel RealCalculator 1.3.1 Freeware
WeatherBug
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinStyles
Xfire (remove only)

---------------

Ried · 01-06-2006, 09:15 AM

Hello,

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Viewpoint Manager
Viewpoint Media Player

Delete the following if they still exist:

C:\Program Files\Viewpoint Manager
C:\Program Files\Viewpoint Media Player
C:\Program Files\Diablo II\Incoming files\master.zip/MU.DLL
C:\Program Files\Diablo II\master
C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe <--delete every instance if you find more than one. If this is the only entry in the editors folder, you can just delete that folder.

C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx <--Delete the contents

C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx <--Delete the contents

Reboot your system. How is the system behaving now?

Ei8htBall1989 · 01-06-2006, 12:53 PM

Found everything and deleted it without any problems...

The computer seems to be working much better...
It hasn't been getting much use over the past few days, but when I restarted it, I tried updating Norton, and it worked without any problems (I haven't tried in a week or so, but it seems like a good sign)...

Zach

Ried · 01-06-2006, 02:20 PM

That's good to hear.

Please continue with these important final instructions:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Ei8htBall1989 · 01-07-2006, 07:30 PM

When I turned my computer on, norton tried to update and gave me an entirely new error message; live update couldn't connect and download the updates...

The strange thing about this is that no one has used the computer since I was able to do it successfully and since I got this error message... I'm no expert (or even close), but could it be reinstalling itself at startup?

Should I just ignore Norton, or is it a warning sign?

Thanks for all of your help,
Zach

Ried · 01-07-2006, 10:28 PM

Hi Zach,

Let's take another look and see if anything's going on.

Run another online scan at either Panda or Kaspersky and post the results here.

Go to the fl.zip you downloaded earlier. Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply along with a new HijackThis log.

Ei8htBall1989 · 01-09-2006, 03:09 PM

Norton poped up because of an "outbreak alert"... It tried (no choice on my part) to run live update and gave the same error (I included it below, not sure if it's any help though)

-- NortonLog --

The following Symantec products and components are installed on your computer.
> Ad Blocking Content Updates
> Ad Blocking Program Updates
> AntiSpam Core Components
> IDS Program Updates
> LiveUpdate
> Norton AntiSpam Definitions Updates
> Norton AntiVirus
> Norton AntiVirus Virus Definitions
> Norton Internet Security Resource Updates
> Norton Internet Security URL updates
> Norton Internet Security program updates
> Norton Internet Security security updates
> Norton Password Manager
> Norton WMI Update
> ScriptBlocking
> Subscription Services
> Symantec Common Driver: SymEvent
> Symantec Intrusion Detection Signatures
> Symantec Redirector
> Symantec Security Response Submission Software Updates
> Symantec Security Software Update
> Symantec Shared Components
> Symantec Trusted Application List

Initializing...
Connecting to liveupdate.symantecliveupdate.com...
Connecting to liveupdate.symantec.com...
Connecting to update.symantec.com...
Unable to connect to host
LU1814: LiveUpdate could not retrieve the catalog file of available Symantec product and component updates. Please verify that you are able to connect to the Internet and run LiveUpdate again.
LiveUpdate session is complete.

---------------

-- Kaspersky --
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 09, 2006 17:59:34
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/01/2006
Kaspersky Anti-Virus database records: 159805
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 170827
Number of viruses found: 11
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 8066 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.dh
C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.dh
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E0E30B0.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E115AAD.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E3C7C7E.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E3F267A.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E5D205A.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED916D4.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F89370F.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F8C610C.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10D864FA.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\14A7128C.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1BC86488.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1CCE1700.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1DFA7D64.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F85CF7.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47126AAF.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F4715C Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F81B58.com Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A2A14B2.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6DC13AF6.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\75BA50B1.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/bsdhooks.dll Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/web.dll Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/bpk.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally/rinst.exe Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED/inst_Ally Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx/[From "Zach Shepherd" <zsheph65@twcny.rr.com>][Date Sun, 9 Feb 2003 12:13:36 -0500]/UNNAMED Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc51.dbx Infected: Trojan-Spy.Win32.Perfloger.w
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:09:00 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:09:00 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:34:42 -0700]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Tue, 02 Aug 2005 05:34:42 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Service <service@paypal.com>][Date Wed, 03 Aug 2005 00:44:17 +0300]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Service <service@paypal.com>][Date Wed, 03 Aug 2005 00:44:17 +0300]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From Bernardo Reyna <breyna_ed@estee-lauder.co.uk>][Date Thu, 04 Aug 2005 15:15:06 +0000]/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Fri, 05 Aug 2005 19:58:37 +0300]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Fri, 05 Aug 2005 19:58:37 +0300]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <aeijp@verizon.net>][Date Fri, 05 Aug 2005 21:49:16 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <aeijp@verizon.net>][Date Fri, 05 Aug 2005 21:49:16 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Sat, 06 Aug 2005 16:19:55 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx/[From PayPal Security Department <service@paypal.com>][Date Sat, 06 Aug 2005 16:19:55 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ez
C:\RECYCLER\S-1-5-21-891307005-2014835873-67682326-1007\Dc52.dbx Infected: Trojan-Spy.HTML.Paylap.ez
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP124\A0017863.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP124\A0017864.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP124\A0017865.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019972.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019975.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019985.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019986.exe Infected: Trojan-Downloader.Win32.Swizzor.co

Scan process completed.

---------------

--- Find Lop ---
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Administrator\Application Data

05/20/2005 08:09 PM <DIR> Gtek
10/25/2002 09:11 AM <DIR> Identities
04/10/2005 02:15 PM <DIR> Mozilla
10/25/2002 09:55 AM <DIR> Symantec
0 File(s) 0 bytes
4 Dir(s) 27,532,349,440 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\All Users\Application Data

10/23/2004 09:37 PM <DIR> Adobe
01/02/2006 11:47 AM <DIR> Avg7
10/25/2002 09:43 AM <DIR> BVRP Software
10/25/2002 09:41 AM <DIR> Dell
08/25/2003 02:21 PM 13 DirectCDUserNameE.txt
02/07/2004 11:47 AM <DIR> Kazaa Lite
11/13/2005 07:14 PM <DIR> LICENSE WIN AXIS ONE
03/31/2003 09:10 PM <DIR> Macromedia
07/30/2003 05:09 PM <DIR> MSN Messenger 6.0.0602
11/02/2002 03:50 PM <DIR> MSN6
11/22/2004 04:49 PM <DIR> nView_Profiles
04/25/2003 07:26 PM <DIR> QuickTime
10/25/2002 09:39 AM <DIR> SBSI
01/02/2006 02:28 PM <DIR> Spybot - Search & Destroy
02/22/2005 10:57 AM <DIR> Symantec
01/06/2006 03:43 PM <DIR> Viewpoint
1 File(s) 13 bytes
15 Dir(s) 27,532,345,344 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Elizabeth Shepherd\Application Data

03/01/2003 07:37 AM <DIR> Adobe
10/02/2004 09:15 AM <DIR> Aim
05/21/2005 07:51 AM <DIR> Gtek
12/15/2002 05:45 PM <DIR> Help
11/11/2003 03:17 PM <DIR> ICQ
10/25/2002 09:11 AM <DIR> Identities
11/16/2004 12:57 PM <DIR> Lavasoft
08/24/2005 06:48 PM <DIR> Macromedia
08/24/2004 09:05 PM <DIR> Mozilla
08/04/2003 08:25 AM <DIR> Real
10/09/2005 10:23 AM <DIR> Sun
02/14/2005 04:47 PM <DIR> Symantec
08/24/2004 09:05 PM <DIR> Talkback
0 File(s) 0 bytes
13 Dir(s) 27,532,345,344 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Guest\Application Data

05/20/2005 08:09 PM <DIR> Gtek
10/25/2002 09:11 AM <DIR> Identities
11/13/2005 07:13 PM <DIR> Memo Each Face
10/26/2003 12:30 PM <DIR> Real
10/25/2002 09:55 AM <DIR> Symantec
0 File(s) 0 bytes
5 Dir(s) 27,532,345,344 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Pam Shepherd\Application Data

10/28/2005 07:57 PM <DIR> Adobe
11/26/2005 04:16 PM <DIR> AdobeUM
10/05/2004 07:49 PM <DIR> Aim
11/06/2002 06:51 PM 0 dm.ini
01/01/2003 01:50 PM <DIR> eGames
09/08/2005 09:06 PM 101,048 GDIPFONTCACHEV1.DAT
11/02/2002 01:21 PM <DIR> Help
11/11/2003 06:21 PM <DIR> ICQ
11/12/2002 04:39 PM <DIR> Identities
11/06/2002 06:52 PM <DIR> InterTrust
11/19/2004 08:17 PM <DIR> Lavasoft
02/17/2004 07:49 PM <DIR> Macromedia
08/25/2004 07:37 AM <DIR> Mozilla
08/04/2005 07:01 PM 27,217 Personal Address Book.ADR
08/01/2003 08:19 PM <DIR> Real
11/22/2005 03:06 PM <DIR> Sun
02/14/2005 07:33 PM <DIR> Symantec
08/25/2004 07:37 AM <DIR> Talkback
01/04/2006 07:05 PM <DIR> WeatherBug
3 File(s) 128,265 bytes
16 Dir(s) 27,532,345,344 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Zach Shepherd\Application Data

09/18/2005 11:25 AM <DIR> .BitTornado
12/07/2004 09:35 AM <DIR> Adobe
09/04/2005 08:32 PM <DIR> AdobeUM
10/02/2004 08:25 AM <DIR> Aim
04/01/2003 04:48 PM <DIR> Alien Skin
10/23/2004 09:35 PM 0 dm.ini
09/19/2005 06:54 AM 101,048 GDIPFONTCACHEV1.DAT
11/06/2002 04:06 PM <DIR> Help
11/11/2003 09:51 AM <DIR> ICQ
01/08/2003 08:29 PM <DIR> Identities
03/14/2004 02:54 PM <DIR> Kontiki
01/02/2006 11:57 AM <DIR> Lavasoft
04/01/2003 04:04 PM <DIR> Macromedia
08/24/2004 08:58 PM <DIR> Mozilla
05/28/2004 10:42 AM <DIR> MSN6
10/24/2004 01:13 PM <DIR> pdf995
05/30/2004 03:53 PM <DIR> Real
09/19/2005 08:53 AM <DIR> Sun
09/20/2005 06:37 PM 83 sversion.ini
02/22/2005 10:36 AM <DIR> Symantec
08/24/2004 08:58 PM <DIR> Talkback
09/25/2005 01:33 PM <DIR> teamspeak2
10/12/2004 05:04 PM <DIR> Ventrilo
06/08/2004 07:23 PM <DIR> Xfire
3 File(s) 101,131 bytes
21 Dir(s) 27,532,341,248 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Default User\Application Data

10/25/2002 09:57 AM <DIR> .
10/25/2002 09:57 AM <DIR> ..
08/31/2001 08:53 AM 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 27,532,341,248 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Ad-Aware SE Personal.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe'
Parameters: ''
WorkingDirectory: 'C:\PROGRA~1\Lavasoft\AD-AWA~1'
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/09/2006 18:00:00
NextRun: 01/16/2006 18:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 1
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 11/09/2004
EndDate: 00/00/0000
StartTime: 18:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'dfrg.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\defrag.exe'
Parameters: 'c:'
WorkingDirectory: 'C:\WINDOWS\System32'
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/19/2005 20:00:00
NextRun: 01/09/2006 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 11/09/2004
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Norton AntiVirus - Scan my computer - Zach Shepherd.job
'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe'
Parameters: '/task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
WorkingDirectory: ''
Comment: 'This is a schedule scan task from Norton AntiVirus.'
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/09/2005 20:00:00
NextRun: 01/13/2006 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 02/22/2005
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec Drmc.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe'
Parameters: ' /CUSTOM /SCHEDULE'
WorkingDirectory: ''
Comment: ''
Creator: 'Pam Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 30
IdleDeadline: 0
MostRecentRun: 09/04/2005 0:00:02
NextRun: 01/10/2006 0:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/14/2005
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/09/2006 18:01:00
NextRun: 01/09/2006 18:06:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 01/09/2006
EndDate: 00/00/0000
StartTime: 18:06
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

---------------

----- HJT -----
Logfile of HijackThis v1.99.1
Scan saved at 6:04:09 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

---------------

Ei8htBall1989 · 01-12-2006, 03:33 PM

Bump?

Ried · 01-12-2006, 09:53 PM

Thank you for your patience.

Go into Outlook Express again and delete this e-mail:

C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600]

Now navigate to your Deleted Items.dbxfolder in Outlook Express and empty the contents.

----------------------

Delete the following folders:

C:\Documents and Settings\Guest\Application Data\Memo Each Face

**Only delete these 2 folders if you uninstalled these programs already through the Add/Remove:
C:\Documents and Settings\Pam Shepherd\Application Data\WeatherBug
C:\Documents and Settings\All Users\Application Data\Viewpoint

---------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

--------------------
Download rootkitrevealer

Unzip the files. Double click on RootkitRevealer.exe then click Scan.
Save the results and post them here please.

Ei8htBall1989 · 01-16-2006, 01:00 PM

I went through and deleted the email messages and folder and ran CleanUp (is over 700MB normal to accumulate in just a few days???)

Zach

-- RootKitReveal --
C:\$AttrDef 10/25/2002 9:31 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 10/25/2002 9:31 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 10/25/2002 9:31 AM 74.47 GB Hidden from Windows API.
C:\$Bitmap 10/25/2002 9:31 AM 2.33 MB Hidden from Windows API.
C:\$Boot 10/25/2002 9:31 AM 8.00 KB Hidden from Windows API.
C:\$Extend 10/25/2002 9:31 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 10/25/2002 9:32 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 10/25/2002 9:32 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 10/25/2002 9:32 AM 0 bytes Hidden from Windows API.
C:\$Extend\$UsnJrnl 10/25/2002 9:42 AM 0 bytes Hidden from Windows API.
C:\$Extend\$UsnJrnl:$Max 10/25/2002 9:42 AM 32 bytes Hidden from Windows API.
C:\$LogFile 10/25/2002 9:31 AM 64.00 MB Hidden from Windows API.
C:\$MFT 10/25/2002 9:31 AM 213.08 MB Hidden from Windows API.
C:\$MFTMirr 10/25/2002 9:31 AM 4.00 KB Hidden from Windows API.
C:\$Secure 10/25/2002 9:31 AM 0 bytes Hidden from Windows API.
C:\$UpCase 10/25/2002 9:31 AM 128.00 KB Hidden from Windows API.
C:\$Volume 10/25/2002 9:31 AM 0 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\LOGON.SCR-24ADF392.pf 1/16/2006 3:51 PM 16.47 KB Visible in directory index, but not Windows API or MFT.

Ried · 01-17-2006, 04:38 AM

Please run findlop again and another online scan at Kaspersky. Post those results here once again along with a new HijackThis log.

Ei8htBall1989 · 01-17-2006, 06:09 PM

Here ya go:
Zach

--- FindLop ---
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Administrator\Application Data

05/20/2005 08:09 PM <DIR> Gtek
10/25/2002 09:11 AM <DIR> Identities
04/10/2005 02:15 PM <DIR> Mozilla
10/25/2002 09:55 AM <DIR> Symantec
0 File(s) 0 bytes
4 Dir(s) 28,254,138,368 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\All Users\Application Data

10/23/2004 09:37 PM <DIR> Adobe
01/02/2006 11:47 AM <DIR> Avg7
10/25/2002 09:43 AM <DIR> BVRP Software
10/25/2002 09:41 AM <DIR> Dell
08/25/2003 02:21 PM 13 DirectCDUserNameE.txt
02/07/2004 11:47 AM <DIR> Kazaa Lite
11/13/2005 07:14 PM <DIR> LICENSE WIN AXIS ONE
03/31/2003 09:10 PM <DIR> Macromedia
07/30/2003 05:09 PM <DIR> MSN Messenger 6.0.0602
11/02/2002 03:50 PM <DIR> MSN6
11/22/2004 04:49 PM <DIR> nView_Profiles
04/25/2003 07:26 PM <DIR> QuickTime
10/25/2002 09:39 AM <DIR> SBSI
01/02/2006 02:28 PM <DIR> Spybot - Search & Destroy
02/22/2005 10:57 AM <DIR> Symantec
1 File(s) 13 bytes
14 Dir(s) 28,254,134,272 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Elizabeth Shepherd\Application Data

03/01/2003 07:37 AM <DIR> Adobe
10/02/2004 09:15 AM <DIR> Aim
05/21/2005 07:51 AM <DIR> Gtek
12/15/2002 05:45 PM <DIR> Help
11/11/2003 03:17 PM <DIR> ICQ
10/25/2002 09:11 AM <DIR> Identities
11/16/2004 12:57 PM <DIR> Lavasoft
08/24/2005 06:48 PM <DIR> Macromedia
08/24/2004 09:05 PM <DIR> Mozilla
08/04/2003 08:25 AM <DIR> Real
10/09/2005 10:23 AM <DIR> Sun
02/14/2005 04:47 PM <DIR> Symantec
08/24/2004 09:05 PM <DIR> Talkback
0 File(s) 0 bytes
13 Dir(s) 28,254,134,272 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Guest\Application Data

05/20/2005 08:09 PM <DIR> Gtek
10/25/2002 09:11 AM <DIR> Identities
10/26/2003 12:30 PM <DIR> Real
10/25/2002 09:55 AM <DIR> Symantec
0 File(s) 0 bytes
4 Dir(s) 28,254,134,272 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Pam Shepherd\Application Data

10/28/2005 07:57 PM <DIR> Adobe
11/26/2005 04:16 PM <DIR> AdobeUM
10/05/2004 07:49 PM <DIR> Aim
11/06/2002 06:51 PM 0 dm.ini
01/01/2003 01:50 PM <DIR> eGames
09/08/2005 09:06 PM 101,048 GDIPFONTCACHEV1.DAT
11/02/2002 01:21 PM <DIR> Help
11/11/2003 06:21 PM <DIR> ICQ
11/12/2002 04:39 PM <DIR> Identities
11/06/2002 06:52 PM <DIR> InterTrust
11/19/2004 08:17 PM <DIR> Lavasoft
02/17/2004 07:49 PM <DIR> Macromedia
08/25/2004 07:37 AM <DIR> Mozilla
08/04/2005 07:01 PM 27,217 Personal Address Book.ADR
08/01/2003 08:19 PM <DIR> Real
11/22/2005 03:06 PM <DIR> Sun
02/14/2005 07:33 PM <DIR> Symantec
08/25/2004 07:37 AM <DIR> Talkback
3 File(s) 128,265 bytes
15 Dir(s) 28,254,134,272 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Zach Shepherd\Application Data

09/18/2005 11:25 AM <DIR> .BitTornado
01/10/2006 03:03 PM <DIR> Adobe
09/04/2005 08:32 PM <DIR> AdobeUM
01/10/2006 03:04 PM <DIR> Aim
04/01/2003 04:48 PM <DIR> Alien Skin
10/23/2004 09:35 PM 0 dm.ini
09/19/2005 06:54 AM 101,048 GDIPFONTCACHEV1.DAT
11/06/2002 04:06 PM <DIR> Help
11/11/2003 09:51 AM <DIR> ICQ
01/08/2003 08:29 PM <DIR> Identities
03/14/2004 02:54 PM <DIR> Kontiki
01/02/2006 11:57 AM <DIR> Lavasoft
04/01/2003 04:04 PM <DIR> Macromedia
08/24/2004 08:58 PM <DIR> Mozilla
05/28/2004 10:42 AM <DIR> MSN6
10/24/2004 01:13 PM <DIR> pdf995
05/30/2004 03:53 PM <DIR> Real
09/19/2005 08:53 AM <DIR> Sun
09/20/2005 06:37 PM 83 sversion.ini
02/22/2005 10:36 AM <DIR> Symantec
08/24/2004 08:58 PM <DIR> Talkback
09/25/2005 01:33 PM <DIR> teamspeak2
10/12/2004 05:04 PM <DIR> Ventrilo
06/08/2004 07:23 PM <DIR> Xfire
3 File(s) 101,131 bytes
21 Dir(s) 28,254,130,176 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\Default User\Application Data

10/25/2002 09:57 AM <DIR> .
10/25/2002 09:57 AM <DIR> ..
08/31/2001 08:53 AM 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 28,254,130,176 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 1C41-BC23

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Ad-Aware SE Personal.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe'
Parameters: ''
WorkingDirectory: 'C:\PROGRA~1\Lavasoft\AD-AWA~1'
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/16/2006 18:00:00
NextRun: 01/23/2006 18:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 1
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 11/09/2004
EndDate: 00/00/0000
StartTime: 18:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'dfrg.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\defrag.exe'
Parameters: 'c:'
WorkingDirectory: 'C:\WINDOWS\System32'
Comment: ''
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/16/2006 20:00:00
NextRun: 01/23/2006 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 11/09/2004
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Norton AntiVirus - Scan my computer - Zach Shepherd.job
'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe'
Parameters: '/task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
WorkingDirectory: ''
Comment: 'This is a schedule scan task from Norton AntiVirus.'
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/09/2005 20:00:00
NextRun: 01/20/2006 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 02/22/2005
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec Drmc.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe'
Parameters: ' /CUSTOM /SCHEDULE'
WorkingDirectory: ''
Comment: ''
Creator: 'Pam Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 30
IdleDeadline: 0
MostRecentRun: 09/04/2005 0:00:02
NextRun: 01/18/2006 0:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/14/2005
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Zach Shepherd'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/17/2006 18:42:00
NextRun: 01/17/2006 22:42:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 01/17/2006
EndDate: 00/00/0000
StartTime: 22:42
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
---------------

----- Kaz -----
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 20:51:21
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 161185
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 154840
Number of viruses found: 8
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 6223 sec

Infected Object Name - Virus Name
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E0E30B0.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E115AAD.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E3C7C7E.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E3F267A.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E5D205A.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED916D4.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F89370F.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F8C610C.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10D864FA.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\14A7128C.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1BC86488.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1CCE1700.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1DFA7D64.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F85CF7.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4244448E.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47126AAF.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A8F65C0.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F4715C Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F81B58.com Infected: Backdoor.Win32.SdBot.xd
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A2A14B2.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6DC13AF6.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\75BA50B1.exe Infected: Trojan-Downloader.Win32.Swizzor.co
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019972.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019975.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019985.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP159\A0019986.exe Infected: Trojan-Downloader.Win32.Swizzor.co

Scan process completed.
---------------

----- HJT -----
Logfile of HijackThis v1.99.1
Scan saved at 9:04:15 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe
---------------

Ried · 01-18-2006, 04:44 AM

These logs are clean. Are you still getting alerts from Norton? Will LiveUpdate connect now?

Ei8htBall1989 · 01-23-2006, 02:54 PM

Sorry it took me so long to get back to you, I've been traveling

Norton still wont update... I'm getting the same error;
"LU1814: LiveUpdate could not retrieve the catalog file of available Symantec product and component updates. Please verify that you are able to connect to the Internet and run LiveUpdate again.
LiveUpdate session is complete"

I really don't use this computer much, but aparently an hourglass appears at random times for a few seconds and then goes away... and I've also been told that sometimes Norton disapears, and when it is turned back on, a bit later it disapears again...

I'm really quite confused... everything should be working, but it isn't...

Ried · 01-23-2006, 04:15 PM

Hi Zach,

I'm beginning to suspect Norton is corrupted somehow and we may need to uninstall and reinstall it again. Before we do that, let's do one more check:

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here.

Ei8htBall1989 · 01-27-2006, 12:40 PM

Sorry once again for the wait, but for the next few weeks (and the last few) I'll be traveling on and off...

Zach

----- WinPFind -----
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 11/7/2004 12:57:18 PM 10167426 C:\WINDOWS\LPT$VPN.238
PECompact2 11/7/2004 12:57:18 PM 10167426 C:\WINDOWS\VPTNFILE.238
UPX! 11/7/2004 12:57:20 PM 1036800 C:\WINDOWS\vsapi32.dll
aspack 11/7/2004 12:57:20 PM 1036800 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
UPX! 11/17/2003 10:49:16 AM 154624 C:\WINDOWS\SYSTEM32\fmod.dll
UPX! 5/15/2004 4:10:42 PM 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 6/19/2004 6:28:44 PM 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
PECompact2 1/4/2006 10:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 10:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
qoologic 3/13/2005 8:02:28 PM 8881711 C:\WINDOWS\SYSTEM32\pav.sig
aspack 3/13/2005 8:02:28 PM 8881711 C:\WINDOWS\SYSTEM32\pav.sig
SAHAgent 3/13/2005 8:02:28 PM 8881711 C:\WINDOWS\SYSTEM32\pav.sig
winsync 3/13/2005 8:02:28 PM 8881711 C:\WINDOWS\SYSTEM32\pav.sig
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 12/22/2004 7:19:26 PM 8812834 C:\WINDOWS\SYSTEM32\saie_kyf.dat
PTech 12/22/2004 7:19:26 PM 8812834 C:\WINDOWS\SYSTEM32\saie_kyf.dat
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/27/2006 2:47:14 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
1/27/2006 2:40:04 PM H 22728 C:\WINDOWS\SYSTEM32\FFASTLOG.TXT
12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/27/2006 2:47:04 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
1/27/2006 2:47:38 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
1/27/2006 2:47:18 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
1/27/2006 2:48:10 PM H 77824 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
1/27/2006 2:47:26 PM H 1134592 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
1/11/2006 9:39:50 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
1/27/2006 2:45:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
8/19/2003 9:20:04 AM 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 3/19/1998 1:00:00 AM 18432 C:\WINDOWS\SYSTEM32\Audiohq.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 11:45:48 AM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Creative Technology Ltd. 8/24/2000 1:56:00 AM 228352 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 8:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
AvantGo, Inc. 2/21/2003 4:58:26 AM 69632 C:\WINDOWS\SYSTEM32\MBLLNK.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/6/2003 2:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 8/8/2001 3:11:00 PM 24668 C:\WINDOWS\SYSTEM32\plugincpl131_01.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel Corporation 8/16/2002 3:52:12 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Apple Computer, Inc. 4/11/2001 11:22:06 AM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
4/4/2003 12:17:46 PM 32768 C:\WINDOWS\SYSTEM32\TIControlPanel.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\DLLCACHE\access.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/31/2001 9:02:02 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
10/25/2002 9:43:18 AM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
11/2/2002 9:46:10 AM 761 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
12/27/2003 2:17:50 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
2/19/2003 5:16:32 PM 780 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Refresh.lnk
2/19/2003 5:16:32 PM 689 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Splash.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/31/2001 8:53:44 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
8/25/2003 2:21:32 PM 13 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
8/31/2001 9:02:02 AM HS 84 C:\Documents and Settings\Zach Shepherd\Start Menu\Programs\Startup\DESKTOP.INI
2/7/2004 3:36:04 PM 857 C:\Documents and Settings\Zach Shepherd\Start Menu\Programs\Startup\Stardock ObjectBar.lnk

Checking files in %USERPROFILE%\Application Data folder...
8/31/2001 8:53:44 AM HS 62 C:\Documents and Settings\Zach Shepherd\Application Data\DESKTOP.INI
10/23/2004 9:35:36 PM 0 C:\Documents and Settings\Zach Shepherd\Application Data\dm.ini
9/19/2005 6:55:00 AM 101048 C:\Documents and Settings\Zach Shepherd\Application Data\GDIPFONTCACHEV1.DAT
9/20/2005 6:37:18 PM 83 C:\Documents and Settings\Zach Shepherd\Application Data\sversion.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
= C:\Program Files\Microsoft Money\System\mnyviewer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
MenuText = Create Mobile Favorite... : C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}
ButtonText = ICQ Pro : C:\PROGRA~1\ICQ\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{1028F737-81E7-452B-A860-E50CAD90A08C} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AHQInit C:\Program Files\Creative\SBLive\Program\AHQInit.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
AcctMgr C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DesktopX C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
Steam "c:\program files\steam\steam.exe" -silent

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 95

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs wbsys.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/27/2006 2:56:47 PM

--------------------

-------- HJT -------

Logfile of HijackThis v1.99.1
Scan saved at 3:36:15 PM, on 1/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\program files\steam\steam.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unlea...edLotTeleX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

01-03-2006, 02:06 PM	#1 (permalink)
Ei8htBall1989 Registered User Join Date: Jan 2006 Posts: 15 OS: Windows XP Professional	Viruses and multiple pieces of Adware/Spyware... Well, I'm trying to fix the family computer. It has been acting funny for awhile, but I haven't had the time to work on it until recently. It's bad. Really bad. Up until now, my parents have insisted on using Norton, because "it's from a reputable company" (meaning they can go into a store and buy a box)... I don't use the computer much, but started to get suspicious that there was a problem when my Mother kept complaining that "Norton wouldn't update", I wasn't exactly sure what she meant, but when I tried it myself, it just didn't update... I got a variety of error messages (practically a different one each time), so I gave up and went to my two favorite programs, AVG and Avast! [although I'm always looking for suggestions] which proceded to find several instances of "lop" among other viruses, trojans, and worms (I can't remember anything more specific than lop, sorry), I proceded to let the programs decide the best course of action for cleaning, and all seemed well. I then ran my 2 favorite Anti-Ad/spyware programs; Spybot S+D and Ad-aware... they turned up hundreds (when added together it may have broken 1000) of files, again, I went ahead and deleted all of them (I did check to make sure there wasn't anything I recognized as being important)... Everything went well for a few days, until it happened again; Norton couldn't update... I scanned again, found "lop" again, along with a pleathora (sp?) of viruses/torjans/worms and ad/spyware... I followed the same steps again (I knew deep down that it wasn't going to work, but I did it anyway), and the same result... lop was back, along with it's buddies (I keep bringing up lop, because it's the only one that was consistantly detected on almost every scan...) Now it was time to ask for help... I had a few of my friends refer me to their favorite online scanning tools, and ran those (the list was very simmilar to the one in "First Steps at Removing the Malware and Posting your Log")... I ran them, got rid of anthing detected, but something wasn't right... One of my friends then recommended this site. I visited (found the previously mentioned "First Steps at Removing the Malware and Posting your Log" and followed the instrutions) then downloaded HJT, and ran it (the log is below). That's about everything (I tried to keep it reasonably short without leaving anything out, but I'm not sure if I succedded)... Thanks, Zach (I hope that made sense. If you need me to clarify anything, just ask) -------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 4:54:15 PM, on 1/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Norton Password Manager\AcctMgr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Symantec\LiveUpdate\AUpdate.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {08857C95-5210-DD69-CAA5-543F490B51D0} - C:\PROGRA~1\STOPME~1\logo trans.exe (file missing) O2 - BHO: (no name) - {53468933-CFCE-D931-9C9C-4FD98DDEC91C} - C:\DOCUME~1\ELIZAB~1\APPLIC~1\STOPME~1\logo trans.exe (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe O4 - HKCU\..\Run: [DesktopX] C:\Program Files\Object Desktop\WinStyles\DesktopX.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\splash.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL IM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://goinnow.com/tl7000.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unlea...edLotTeleX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe -------------------------------------------------- Last edited by Ei8htBall1989; 01-03-2006 at 02:20 PM. Reason: Typo

01-04-2006, 01:49 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hello Ei8htBall1989 and welcome to TSF, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Download fl.zip. Extract the contents to a new folder on Desktop. Do not run it yet. --------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: STOPME~1 AdwareFilterToolBar Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {08857C95-5210-DD69-CAA5-543F490B51D0} - C:\PROGRA~1\STOPME~1\logo trans.exe (file missing) O2 - BHO: (no name) - {53468933-CFCE-D931-9C9C-4FD98DDEC91C} - C:\DOCUME~1\ELIZAB~1\APPLIC~1\STOPME~1\logo trans.exe (file missing) O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll O4 - HKLM\..\Run: [BPK] C:\WINDOWS\System32\bpk.exe this is a key logger program--only fix if you did not install yourself. See this site: http://www.auditmypc.com/process/bpk.asp O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://goinnow.com/tl7000.dll O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Folders if they still exist. C:\PROGRA~1\ STOPME~1 C:\Program Files\ AdwareFilterToolBar C:\DOCUME~1\ZACHSH~1\APPLIC~1\ MEMOEA~1 --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Reboot into Normal Mode. Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log. Go to the fl.zip you downloaded earlier. Within the folder, locate & double-click fl.bat. It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-05-2006, 07:28 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe . Do not run it yet. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. --------------------------- Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKEY_CLASSES_ROOT\TypeLib\ {CED445E2-8C78-4F40-87D7-F7FB6F1B6791} If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. --------------------------- Click on the Start button & select Run Type in tasks & click Ok In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks' Delete the following Tasks: A0A9CD9D91A67E41.job A247B21990102599.job A327A5AF90005FEB.job A6B728339198A08B.job A8938F6D91E803AD.job A93CFA75916F7919.job AB5B0A71912C808D.job AC5C03A29357BD96.job AD2A1D12918592DA.job AF47999291980B32.job AFFCA9F091875B0C.job --------------------------- Instructions for using LSPFix Double click on LSPFix.exe to run it. Once running, you will be required to tick the disclaimer - "I know what I'm doing". You'll find a window with 2 panes,if there is any thing in the remove pane please put it back into the keep pane. Now highlight any instances of 'xfire_lsp_10650.dll' Then click on the arrow pointing to the right, >>. This will move the entry to the right pane labeled Remove Click the Finish button to complete the fix. --------------------------- Still from Normal Mode: Run a scan in HijackThis. 'Check' each of the following if they still exist: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files and Folders if they still exist. C:\WINDOWS\SYSTEM32\ saie_gdf.dat C:\PROGRAM FILES\ dialers C:\PROGRAM FILES\COMMON FILES\ Totem Shared C:\Documents and Settings\Administrator\Application Data\ Memo Each Face C:\Documents and Settings\Elizabeth Shepherd\Application Data\ Stop meta C:\Documents and Settings\Elizabeth Shepherd\Application Data\ Memo Each Face C:\Documents and Settings\Pam Shepherd\Application Data\ Memo Each Face C:\Documents and Settings\Zach Shepherd\Application Data\ Memo Each Face C:\Documents and Settings\Zach Shepherd\Application Data\ Stop meta --------------------------- Clear your Mozilla cookies: Open Mozilla>Tools>Options>Privacy Click on Cookies Click the Clear button. Click OK Reboot your system and run an online scan at Kaspersky: Perform an online scan using Internet Explorer with Kaspersky WebScanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT* Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: *Standard *Scan Options: *Scan Archives *Scan Mail Bases *Click OK Now under select a target to scan: Select My Computer* This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post along with a new HijackThis log. Open HijackThis* Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 01-05-2006 at 07:35 AM.

01-06-2006, 09:15 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hello, Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) Viewpoint Manager Viewpoint Media Player Delete the following if they still exist: C:\Program Files\Viewpoint Manager C:\Program Files\Viewpoint Media Player C:\Program Files\Diablo II\Incoming files\master.zip/MU.DLL C:\Program Files\Diablo II\master C:\Documents and Settings\Zach Shepherd\My Documents\SC stuff\editors\inst_Ally Alert 30.exe <--delete every instance if you find more than one. If this is the only entry in the editors folder, you can just delete that folder. C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Deleted Items.dbx <--Delete the contents C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Sent Items.dbx <--Delete the contents Reboot your system. How is the system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-06-2006, 02:20 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	That's good to hear. Please continue with these important final instructions: Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls More information and downloads are available at the following links: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-06-2006, 12:53 PM	#7 (permalink)
Ei8htBall1989 Registered User Join Date: Jan 2006 Posts: 15 OS: Windows XP Professional	Found everything and deleted it without any problems... The computer seems to be working much better... It hasn't been getting much use over the past few days, but when I restarted it, I tried updating Norton, and it worked without any problems (I haven't tried in a week or so, but it seems like a good sign)... Zach

01-07-2006, 07:30 PM	#9 (permalink)
Ei8htBall1989 Registered User Join Date: Jan 2006 Posts: 15 OS: Windows XP Professional	well... maybe I celebrated too soon... or maybe Norton is just crap... When I turned my computer on, norton tried to update and gave me an entirely new error message; live update couldn't connect and download the updates... The strange thing about this is that no one has used the computer since I was able to do it successfully and since I got this error message... I'm no expert (or even close), but could it be reinstalling itself at startup? Should I just ignore Norton, or is it a warning sign? Thanks for all of your help, Zach

01-07-2006, 10:28 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Zach, Let's take another look and see if anything's going on. Run another online scan at either Panda or Kaspersky and post the results here. Go to the fl.zip you downloaded earlier. Within the folder, locate & double-click fl.bat. It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-12-2006, 03:33 PM	#12 (permalink)
Ei8htBall1989 Registered User Join Date: Jan 2006 Posts: 15 OS: Windows XP Professional	Bump?

01-12-2006, 09:53 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Thank you for your patience. Go into Outlook Express again and delete this e-mail: C:\Documents and Settings\Zach Shepherd\Local Settings\Application Data\Identities\{3203D4E4-3933-4654-8ACC-63655A457D5D}\Microsoft\Outlook Express\Inbox.dbx/From PayPal <service@paypal.com>][Date Fri, 12 Aug 2005 07:31:18 -0600] Now navigate to your Deleted Items.dbxfolder in Outlook Express and empty the contents. ---------------------- Delete the following folders: C:\Documents and Settings\Guest\Application Data\Memo Each Face Only delete these 2 folders if you uninstalled these programs already through the Add/Remove: C:\Documents and Settings\Pam Shepherd\Application Data\WeatherBug C:\Documents and Settings\All Users\Application Data\Viewpoint --------------------- Open Cleanup*! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! -------------------- Download rootkitrevealer Unzip the files. Double click on RootkitRevealer.exe then click Scan. Save the results and post them here please. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-17-2006, 04:38 AM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Please run findlop again and another online scan at Kaspersky. Post those results here once again along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-18-2006, 04:44 AM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	These logs are clean. Are you still getting alerts from Norton? Will LiveUpdate connect now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-23-2006, 02:54 PM	#18 (permalink)
Ei8htBall1989 Registered User Join Date: Jan 2006 Posts: 15 OS: Windows XP Professional	Sorry it took me so long to get back to you, I've been traveling Norton still wont update... I'm getting the same error; "LU1814: LiveUpdate could not retrieve the catalog file of available Symantec product and component updates. Please verify that you are able to connect to the Internet and run LiveUpdate again. LiveUpdate session is complete" I really don't use this computer much, but aparently an hourglass appears at random times for a few seconds and then goes away... and I've also been told that sometimes Norton disapears, and when it is turned back on, a bit later it disapears again... I'm really quite confused... everything should be working, but it isn't...

01-23-2006, 04:15 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Zach, I'm beginning to suspect Norton is corrupted somehow and we may need to uninstall and reinstall it again. Before we do that, let's do one more check: Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here. Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."