PDA

View Full Version : Problems - igfxtray.exe, ipwins



Moose13
2007-01-30, 04:05
I'm having trouble removing some malware/viruses?

I'm new to this and have been reading posts about HJT and I'm kinda lost.
Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:04:52 PM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfa.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Cuau] "C:\PROGRA~1\FNTS~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Fgngxkhh] C:\Program Files\Common Files\??sks\w?aclt.exe
O4 - HKCU\..\Run: [iwwf] C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exe

Angelfire777
2007-01-30, 14:47
Hi, welcome to Safer Networking Forums!

*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.
___________________________________

*First install MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm), please read more about what we are doing.

*Download and unzip hosts.zip from HERE (http://www.mvps.org/winhelp2002/hosts.zip) to a folder (hosts).

*Open up the hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine.

*Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

The following is an optional:

Party Poker
Sites like this tend to bring along malware with them..If you do not play, I recommend that you uninstall this program.

*Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)

*Reboot and delete the following folder if you uninstalled Party Poker..

C:\Program Files\PartyPoker.net

Empty your Recycle bin.

_____________________________

Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Moose13
2007-02-07, 20:45
OK, so here's my logs:
"Owner" - 07-02-07 13:34:08 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Owner
C:\qoobox\purity\DOCUME~1\Owner\Application Data
C:\qoobox\purity\DOCUME~1\Owner\Application Data\FNTS~1
C:\qoobox\purity\DOCUME~1\Owner\Application Data\from.txt
C:\qoobox\purity\Program Files\FNTS~1
C:\qoobox\purity\Program Files\WNSXS~1
C:\qoobox\purity\Program Files\Common Files\MCROSO~1
C:\qoobox\purity\Program Files\Common Files\SKS~1
C:\qoobox\purity\Program Files\Common Files\SKS~1\w?aclt.exe
C:\qoobox\purity\Program Files\FNTS~1\FNTS~1
C:\qoobox\purity\Program Files\FNTS~1\msconfig.exe
C:\qoobox\purity\WINDOWS\RACLE~1
C:\qoobox\purity\WINDOWS\SYSTEM32\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


2007-02-02 00:05 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-29 23:43 <DIR> d-------- C:\l2mfix
2007-01-29 22:20 38,912 --a------ C:\WINDOWS\SYSTEM32\picn20.dll
2007-01-29 22:20 290,816 --a------ C:\WINDOWS\Nero PhotoShow.scr
2007-01-29 22:20 106,496 --a------ C:\WINDOWS\SYSTEM32\TwnLib20.dll
2007-01-29 22:20 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Simple Star
2007-01-29 22:16 <DIR> d-------- C:\Program Files\Common Files\Simple Star Shared
2007-01-29 22:15 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Nero
2007-01-29 21:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\CyberLink
2007-01-29 21:57 24,064 --------- C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-01-29 21:20 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-01-29 21:17 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Ahead
2007-01-29 21:12 <DIR> d-------- C:\Program Files\Nero
2007-01-29 21:12 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-01-29 21:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Nero
2007-01-23 01:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-23 01:06 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-01-23 01:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-01-23 01:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-01-23 01:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Windows Genuine Advantage
2007-01-23 00:48 <DIR> d-------- C:\Program Files\Microsoft Digital Image 2006
2007-01-22 23:57 <DIR> d-------- C:\SDFix
2007-01-22 23:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Spybot - Search & Destroy
2007-01-22 22:44 <DIR> d-------- C:\Program Files\DVD Shrink
2007-01-22 22:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\DVD Shrink
2007-01-22 22:12 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-01-22 21:54 <DIR> d-------- C:\Program Files\QuickPar
2007-01-19 17:11 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Canon
2007-01-19 17:11 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\ArcSoft
2007-01-19 17:09 15,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2007-01-19 16:59 <DIR> d-------- C:\Program Files\ScanSoft
2007-01-19 16:57 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-01-19 16:57 <DIR> d-------- C:\Program Files\ArcSoft
2007-01-19 16:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
2007-01-19 16:56 <DIR> d-------- C:\WINDOWS\Profiles
2007-01-19 16:56 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\InterTrust
2007-01-19 16:51 57,344 --a------ C:\WINDOWS\SYSTEM32\CNQU111.DLL
2007-01-19 16:51 274,432 --a------ C:\WINDOWS\SYSTEM32\CNQL1212.dll
2007-01-19 16:51 <DIR> d--h----- C:\CanoScan
2007-01-14 11:59 2,114 --a------ C:\71096069.exe
2007-01-14 02:34 2,114 --a------ C:\87514799.exe
2007-01-14 02:34 2,114 --a------ C:\66177103.exe
2007-01-11 00:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\SiteAdvisor
2007-01-11 00:35 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\Application Data\SiteAdvisor
2007-01-10 23:54 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-01-10 23:54 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\SiteAdvisor
2007-01-10 23:53 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-01-10 23:53 35,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-01-10 23:53 34,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-01-10 23:53 31,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-01-10 23:53 168,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-01-10 23:53 100,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-01-10 23:52 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-01-10 07:57 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\CyberLink
2007-01-09 13:08 <DIR> d--hs---- C:\WINDOWS\U3R1cGlk
2007-01-08 00:18 <DIR> d-------- C:\WINDOWS\iwwf
2007-01-08 00:18 <DIR> d-------- C:\Program Files\Common Files\iwwf
2007-01-07 22:43 2,116 --a------ C:\66352276.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-07 02:54 -------- d---s---- C:\DOCUME~1\Owner\Application Data\microsoft
2007-01-30 16:39 186 --a------ C:\DOCUME~1\Owner\Application Data\movie_maker.txt
2007-01-29 22:20 67 --a------ C:\DOCUME~1\Owner\Application Data\setup.txt
2007-01-29 21:56 -------- d--h----- C:\Program Files\installshield installation information
2007-01-29 21:56 -------- d-------- C:\Program Files\cyberlink
2007-01-29 20:12 -------- d-------- C:\Program Files\viewpoint
2007-01-25 01:55 -------- d-------- C:\DOCUME~1\Owner\Application Data\adobe
2007-01-22 11:29 -------- d-------- C:\DOCUME~1\Owner\Application Data\viewpoint
2007-01-19 17:02 -------- d-------- C:\Program Files\canon
2007-01-19 16:56 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-11 00:28 -------- d-------- C:\Program Files\mcafee
2007-01-06 00:19 682 --a------ C:\DOCUME~1\Owner\Application Data\adobedlm.log
2007-01-06 00:19 6 --a------ C:\DOCUME~1\Owner\Application Data\dm.ini
2007-01-02 18:57 -------- d-------- C:\Program Files\xvid
2007-01-02 03:07 -------- d-------- C:\Program Files\mcafee.com
2006-12-30 07:43 -------- d-------- C:\Program Files\bfg
2006-12-29 16:51 -------- d-------- C:\DOCUME~1\Owner\Application Data\scamblocker
2006-12-29 16:49 -------- d-------- C:\Program Files\Common Files\earthlink
2006-12-27 06:48 -------- d-------- C:\DOCUME~1\Owner\Application Data\mcafee
2006-12-16 15:25 -------- d-------- C:\DOCUME~1\Owner\Application Data\mcafee.com personal firewall
2006-12-14 22:02 -------- d-------- C:\Program Files\quicktime
2006-12-14 22:02 -------- d-------- C:\Program Files\itunes
2006-12-14 22:02 -------- d-------- C:\Program Files\earthlink totalaccess
2006-12-14 22:00 69632 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2006-12-14 22:00 69632 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2006-12-14 19:47 -------- d-------- C:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpySweeper"=""
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
"Cuau"="\"C:\\PROGRA~1\\FNTS~1\\msconfig.exe\" -vt yazr"
"iwwf"="C:\\PROGRA~1\\COMMON~1\\iwwf\\iwwfm.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Nero PhotoShow Media Manager"="C:\\PROGRA~1\\Nero\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"IPInSightMonitor 01"="\"C:\\Program Files\\EarthLink TotalAccess\\FastLane2\\IPMon32.exe\""
"IPInSightLAN 01"="\"C:\\Program Files\\EarthLink TotalAccess\\FastLane2\\IPClient.exe\" -l"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6021\\SiteAdv.exe"
"OPSE reminder"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\Ereg.exe\" -r \"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\ereg.ini\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"NWEReboot"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 07-02-07 13:37:31
C:\ComboFix2.txt ... 07-01-29 20:30
C:\ComboFix3.txt ... 07-01-29 20:20

Moose13
2007-02-07, 20:46
HJT LOg:

Logfile of HijackThis v1.99.1
Scan saved at 1:39:33 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfa.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - Default URLSearchHook is missing
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Cuau] "C:\PROGRA~1\FNTS~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [iwwf] C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe

Angelfire777
2007-02-08, 13:15
Hi, welcome back :)

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

iwwf

The following is an optional:

Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).

If you decided to remove Viewpoint,

Please download Viewpoint Killer (http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip)

Save it to your Desktop
Create a new folder in your desktop by right clicking on the background > New > Folder > name the folder Viewpoint Killer
Unzip the contents of the zip file to the newly created folder.
Open the Viewpoint Killer folder then run ViewpointKiller, and select File > Do All Killings.
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.
A logfile will be created in the folder you unzipped ViewpointKiller to, please copy and paste the contents of the logfile here.
______________________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Cuau] "C:\PROGRA~1\FNTS~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [iwwf] C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe


Did you use Spybot to add the following policy? If not, please fix it:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______________________________

*Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.


*Using Windows Explorer, find and delete these files:

C:\71096069.exe
C:\87514799.exe
C:\66177103.exe
C:\66352276.exe

*Delete the following folders:

C:\WINDOWS\U3R1cGlk
C:\WINDOWS\iwwf
C:\Program Files\Common Files\iwwf
C:\Program Files\FNTS~1 <<Delete the folder in which its name starts with FNT

Empty your Recycle bin.

Reboot.
_______________________________

Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) by noahdfear and save it to your desktop:
Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.

On your next reply, please include a fresh HijackThis log along with the viewpoint killer log and the FindAWF log.

Moose13
2007-02-09, 04:07
Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EARTHL~2\BAK

09/01/2005 05:24 PM 942,080 TaskPanl.exe
1 File(s) 942,080 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 12:51 PM 118,784 hkcmd.exe
02/10/2004 12:55 PM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 01:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\EARTHL~2\FASTLA~1\BAK

08/10/2005 09:10 PM 380,928 IPClient.exe
08/10/2005 09:10 PM 122,880 IPMon32.exe
2 File(s) 503,808 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 09:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 06:29 PM 303,104 mcagent.exe
01/11/2006 12:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 12:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/06/2006 11:02 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 12:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

69632 Dec 14 2006 "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"
942080 Sep 1 2005 "C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe"
69632 Dec 14 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
69632 Dec 14 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Feb 10 2004 "C:\DRIVERS\VIDEO\HKCMD.EXE"
69632 Dec 14 2006 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
155648 Feb 10 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
69632 Dec 14 2006 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
69632 Dec 14 2006 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
1404928 Oct 14 2004 "C:\DELL\drivers\R94481\SMAXWDM\W2K_XP\SMax4PNP.exe"
69632 Dec 14 2006 "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe"
380928 Aug 10 2005 "C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPClient.exe"
69632 Dec 14 2006 "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
122880 Aug 10 2005 "C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPMon32.exe"
69632 Dec 14 2006 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
566872 Oct 27 2006 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
390744 Oct 25 2006 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
69632 Dec 14 2006 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswctrl.exe"
69632 Dec 14 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jan 6 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
69632 Dec 14 2006 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report

----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT MEDIA PLAYER...
The removal process was started at Thu Feb 08 20:17:17 2007

ViewpointKiller determined that "aim.exe" was not running.
ViewpointKiller determined that "aolsoftware.exe" was not running.
ViewpointKiller determined that "aim6.exe" was not running.
ViewpointKiller determined that "aol.exe" was not running.
ViewpointKiller determined that "MtsAxInstaller.exe" was not running.
ViewpointKiller determined that "ViewpointService.exe" was not running.
Trying againViewpointKiller determined that "ViewpointService.exe" was not running.


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".

ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Media Player" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Media Player".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Experience Technology" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Viewpoint\Viewpoint Experience Technology" folder successfully.
ViewpointKiller determined that the path "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\MetaStream" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\MetaStream".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users.WINDOWS.WINDOWS\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users.WINDOWS.WINDOWS\Application Data\Viewpoint".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Common" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Common".

Finished reporting.
----------------------------------

----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT MEDIA PLAYER...
The removal process was started at Thu Feb 08 20:51:27 2007

ViewpointKiller determined that "aim.exe" was not running.
ViewpointKiller determined that "aolsoftware.exe" was not running.
ViewpointKiller determined that "aim6.exe" was not running.
ViewpointKiller determined that "aol.exe" was not running.
ViewpointKiller determined that "MtsAxInstaller.exe" was not running.
ViewpointKiller determined that "ViewpointService.exe" was not running.
Trying againViewpointKiller determined that "ViewpointService.exe" was not running.


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".

ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Media Player" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Media Player".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Experience Technology" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Experience Technology".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint".
ViewpointKiller determined that the path "C:\Program Files\MetaStream" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\MetaStream".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users.WINDOWS.WINDOWS\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users.WINDOWS.WINDOWS\Application Data\Viewpoint".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Common" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Common".

Finished reporting.
----------------------------------

Moose13
2007-02-09, 04:08
Logfile of HijackThis v1.99.1
Scan saved at 1:57:04 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfa.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\iwwf\iwwfl.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - Default URLSearchHook is missing
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Cuau] "C:\PROGRA~1\FNTS~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [iwwf] C:\PROGRA~1\COMMON~1\iwwf\iwwfm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe

Angelfire777
2007-02-09, 10:48
Hi,

It seems that the HijackThis log that you posted is not the most recent log..Please scan with HijackThis again and post the most recent log :)

Moose13
2007-02-10, 07:19
Logfile of HijackThis v1.99.1
Scan saved at 12:16:50 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GrabIt\GrabIt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe

Angelfire777
2007-02-10, 11:27
Hi, it seems that you have a new strain of a file infector called Agent.AWF

We need to submit some files to experts for analysis..

Please download Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines:

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

and paste it in the box in SFP, then click "Continue".
Please email the created .cab file to submit (at) spywarefix.org (I know that SFP says to mail to a spybot.info address, but that won't get to the experts at SpywareInfo).

Remember to replace "(at)" with @

Please post back when you're done and we'll continue :bigthumb:

Angelfire777
2007-02-14, 14:37
Please change the place where you'll send the .cab file..

After the .cab file has been created, please follow these instructions instead of the one above..

Please go here: The Spykiller (http://www.thespykiller.co.uk/forum/index.php?board=1.0) then create a new topic..Name the topic Requested by Angelfire777

Include on the topic this note: New variant of Agent.AWF spotted here: http://forums.spybot.info/showthread.php?t=10902

Please post back when you're done and we'll continue :bigthumb:

tashi
2007-02-20, 02:40
Moose13, how is it going?

Angelfire777
2007-02-24, 11:16
Due to inactivity this thread is now closed:spider:

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Angelfire777
2007-03-06, 09:54
Reopened

Angelfire777
2007-03-06, 09:56
Hi,

Did you follow the latest instructions? If not, please do it now then post a fresh HijackThis log and a description on how the machine is running.

Moose13
2007-03-06, 21:56
I have followed the latest instructions.
Here is a recent HJT log.
My machine is still not running correctly.

Logfile of HijackThis v1.99.1
Scan saved at 2:09:16 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

Angelfire777
2007-03-07, 14:54
Hi,

1.) Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer, and post a new HijackThis log.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.


2.) Please download ResetProtocolDefaults (http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg) by WinHelp2002 and save it to your desktop:
Locate ResetProtocolDefaults.reg which should be on your desktop.
Right-click and select: Merge.
OK the prompt.

__________________

*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Do not use it yet.
__________________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type restore.bat in the File name and save it to your desktop.


if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"

if exist "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" del /q "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"
copy /y "C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe" "C:\Program Files\EarthLink TotalAccess"

if exist "C:\WINDOWS\SYSTEM32\hkcmd.exe" del /q "C:\WINDOWS\SYSTEM32\hkcmd.exe"
copy /y "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe" "C:\WINDOWS\SYSTEM32"

if exist "C:\WINDOWS\SYSTEM32\igfxtray.exe" del /q "C:\WINDOWS\SYSTEM32\igfxtray.exe"
copy /y "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe" "C:\WINDOWS\SYSTEM32"

if exist "C:\Program Files\Analog Devices\Core\smax4pnp.exe" del /q "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
copy /y "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe" "C:\Program Files\Analog Devices\Core"

if exist "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" del /q "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe"
copy /y "C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPClient.exe" "C:\Program Files\EarthLink TotalAccess\FastLane2"

if exist "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe" del /q "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
copy /y "C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPMon32.exe" "C:\Program Files\EarthLink TotalAccess\FastLane2"

if exist "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" del /q "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
copy /y "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe" "C:\Program Files\Intel\Modem Event Monitor"

if exist "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe" del /q "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
copy /y "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe" "C:\WINDOWS\SYSTEM32\dla"

if exist "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" del /q "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
copy /y "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Common Files\Sonic\Update Manager"

if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"

Double click restore.bat then please run FindAWF again to make sure nothing is left.
_________________________

Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.

On your next reply, please post a fresh HijackThis log, AVG Antispyware log, FindAWF log and a description on how your machine is running.

Moose13
2007-03-08, 01:17
Logfile of HijackThis v1.99.1
Scan saved at 6:17:10 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

Moose13
2007-03-08, 04:01
I have finished all you have requested. I attached my HJT log above. Here is the AVG Antispyware log.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:18:18 PM 3/7/2007

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\Documents and Settings\Owner\Desktop\OiUninstaller\OiUninstaller.exe -> Adware.PurityScan : Cleaned.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned.
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned.
C:\RECYCLER\S-1-5-18\Dc2\system.dll -> Adware.Softomate : Cleaned.
C:\Downloads\MCFHuntsville-dm[1].exe -> Adware.Trymedia : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\Analog Devices\Core\smax4pnp.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\EarthLink TotalAccess\TaskPanl.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\QuickTime\qttask.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\Program Files\iTunes\iTunesHelper.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\WINDOWS\SYSTEM32\hkcmd.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54].cab/C:\WINDOWS\SYSTEM32\igfxtray.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\Analog Devices\Core\smax4pnp.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\Common Files\Real\Update_OB\realsched.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\Common Files\Sonic\Update Manager\sgtray.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\EarthLink TotalAccess\TaskPanl.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\Intel\Modem Event Monitor\IntelMEM.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\QuickTime\qttask.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\Program Files\iTunes\iTunesHelper.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\WINDOWS\SYSTEM32\dla\tfswctrl.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\WINDOWS\SYSTEM32\hkcmd.exe -> Backdoor.Aebot.r : Cleaned.
C:\Documents and Settings\Owner\Desktop\requested-files[2007-03-06_13_54]\WINDOWS\SYSTEM32\igfxtray.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\Analog Devices\Core\smax4pnp.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe -> Backdoor.Aebot.r : Cleaned.
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015260.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015261.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015262.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015263.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015264.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015265.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015266.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015267.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015268.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015269.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015270.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP127\A0015271.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015572.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015573.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015574.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015575.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015576.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015577.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015578.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015579.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015580.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015581.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015582.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP135\A0015583.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP145\A0016946.rbf -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP145\A0017058.rbf -> Backdoor.Aebot.r : Cleaned.
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe -> Backdoor.Aebot.r : Cleaned.
C:\WINDOWS\SYSTEM32\hkcmd.exe -> Backdoor.Aebot.r : Cleaned.
C:\WINDOWS\SYSTEM32\igfxtray.exe -> Backdoor.Aebot.r : Cleaned.


::Report end

Here is the FindAWF log.

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EARTHL~2\BAK

09/01/2005 05:24 PM 942,080 TaskPanl.exe
1 File(s) 942,080 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 12:51 PM 118,784 hkcmd.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 01:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\EARTHL~2\FASTLA~1\BAK

08/10/2005 09:10 PM 380,928 IPClient.exe
08/10/2005 09:10 PM 122,880 IPMon32.exe
2 File(s) 503,808 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 09:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 06:29 PM 303,104 mcagent.exe
01/11/2006 12:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 12:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/06/2006 11:02 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 12:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

942080 Sep 1 2005 "C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe"
257088 Mar 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 6 2007 "C:\WINDOWS\Installer\{01B51908-02EF-453B-87A9-815182E8C2F2}\iTunesIco.exe"
116288 Mar 6 2007 "C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 7.1.0.59\iTunesSetupAdmin.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Feb 10 2004 "C:\DRIVERS\VIDEO\HKCMD.EXE"
118784 Feb 10 2004 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
1404928 Oct 14 2004 "C:\DELL\drivers\R94481\SMAXWDM\W2K_XP\SMax4PNP.exe"
380928 Aug 10 2005 "C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPClient.exe"
122880 Aug 10 2005 "C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPMon32.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
566872 Oct 27 2006 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
390744 Jan 5 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswctrl.exe"
180269 Jan 6 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report


The pop up from my McAfee has not returned but the system is still running slower than it should. I also have noticed if I am listening to music and/or opening a program the music gets distorted.
I noticed a reply on the forum I sent the cab. file to. Is this information for you or me? If it is for me can you simplify it because I don't understand what I am supposed to do? Thank you.

Angelfire777
2007-03-09, 14:33
Hi,


I noticed a reply on the forum I sent the cab. file to. Is this information for you or me? If it is for me can you simplify it because I don't understand what I am supposed to do? Thank you.

The information there is for you and me but you do not have to do anything at all :)

*Using Windows Explorer, find and delete these folders

C:\Program Files\Common Files\Real\WeatherBug
C:\Documents and Settings\Owner\Desktop\OiUninstaller
C:\Program Files\EarthLink TotalAccess\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\EarthLink TotalAccess\FastLane2\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\McAfee.com\Agent\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
_________________________-

*Download Gmer (http://www.majorgeeks.com/downloadget.php?id=5198&file=15&evp=3f18075291813a665b2a25536a70b307)
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.


*Run Kaspersky Online Scanner (http://www.kaspersky.com/kos/english/kavwebscan.html)

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest Definition Files.
Once the Scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the Scan Settings, make that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your Desktop.

On your next reply, please post a fresh HijackThis log, GMER log and the kaspersky scan log.

Moose13
2007-03-10, 09:46
Logfile of HijackThis v1.99.1
Scan saved at 2:43:42 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

Moose13
2007-03-10, 09:52
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-09 15:37:57
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FD0078
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FD005B
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FD0025
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FD0F41
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FD0089
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FD0F15
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FD0F26
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00FD00C9
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00FD0036
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00FD0FDE
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00FD0F5E
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00FD000A
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00FD00A4
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A10040
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A1001B
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A1000A
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10F83
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\SYSTEM32\services.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\SYSTEM32\services.exe[708] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009E000A
.text C:\WINDOWS\SYSTEM32\services.exe[708] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009B007D
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009B0F88
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009B0FA5
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009B0FB6
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009B0051
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009B00BC
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009B009F
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009B0F23
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009B0F3E
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 009B00D7
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 009B0062
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 009B000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 009B008E
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 009B002C
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 009B001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 009B0F59
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009A0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009A0F7C
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009A0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009A0014
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009A0F8D
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009A0FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009A0FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00980FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[924] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00980014
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CD0F97
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CD0FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CD0082
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CD0FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CD00CE
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CD00B1
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CD0F64
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CD0F75
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00CD0F49
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00CD0065
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00CD0014
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00CD0F86
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00CD0040
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00CD0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00CD00F3
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CC0FB2
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CC0F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CC0FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CC0FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CC002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CC0014
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CC0F8D
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00CA000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 022C0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 022C0F68
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 022C0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 022C0051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 022C0F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 022C0FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 022C0084
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 022C0F3C
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 022C0F10
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 022C0F21
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 022C0EFF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 022C0036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 022C000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 022C0F57
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 022C0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 022C001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 022C009F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01B60036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01B60087
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01B6001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01B6000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01B60076
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01B60065
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01B60FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01B60FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01B30000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 01B30FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 01B40000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 01B40FC8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 01B40FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 01B4001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!

Moose13
2007-03-10, 09:52
CreateFileA 7C801A24 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BE0078
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BE005D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BE0040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BE0F3A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BE00CC
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BE0F29
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00BE0F18
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00BE0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00BE0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00BE009D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BD0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BD000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BB000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1220] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00BB0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007C0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007C0F68
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007C005D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007C004C
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007C0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007C0FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007C0F30
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007C0078
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007C0F15
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007C00B8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 007C00C9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 007C0FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 007C0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 007C0F57
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 007C0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 007C001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 007C009D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00710025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00710F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0071000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00710FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00710065
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00710040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00710FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00710FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 006F0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 006F0FDB
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 006F0011
.text C:\WINDOWS\SYSTEM32\svchost.exe[1256] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 006F002E
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F57
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0F68
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0025
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0067
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A009D
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A008C
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 001A0EE9
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 001A0014
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 001A004C
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\explorer.exe[1816] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 001A0F0E
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290FC3
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290F57
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00290014
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290F7C
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00290F8D
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[1816] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00290FA8
.text C:\WINDOWS\explorer.exe[1816] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[1816] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\explorer.exe[1816] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 002B000A
.text C:\WINDOWS\explorer.exe[1816] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 002B0031
.text C:\WINDOWS\explorer.exe[1816] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01380000
.text C:\WINDOWS\explorer.exe[1816] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 01380011
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0076000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007600A7
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760FB2
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760096
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00760079
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760054
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007600DD
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00760F97
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00760F66
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00760109
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 0076011A
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00760FCD
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0076001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 007600C2
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00760FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00760FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 007600EE
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00750036
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00750FA5
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00750025
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00750FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00750FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00750062
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00750000
.text C:\WINDOWS\SYSTEM32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00750051
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0062
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F77
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0F94
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0FA5
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A002C
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F37
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F48
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00D0
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00AB
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 001A0F1C
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 001A003D
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 001A0000
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 001A0073
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 001A001B
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 001A0FCA
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 001A009A
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290FC0
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290087
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0029001B
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00290FE5
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0029006C
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00290047
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00290000
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0029002C
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002A0FEF
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 002A000A
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 002B0000
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 002B0027
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 002B0FE5
.text C:\Program Files\Messenger\MSMSGS.EXE[3824] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 002B0FD4

Moose13
2007-03-10, 09:54
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-09 15:37:57
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution 80501E51 7 Bytes JMP BA7895BF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwOpenKey 80573F1D 5 Bytes JMP BA7894EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 80579528 5 Bytes JMP BA7894FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8057F5A5 5 Bytes JMP BA789581 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8058049E 5 Bytes JMP BA7895EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 80580916 7 Bytes JMP BA7895D5 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581F7D 7 Bytes JMP BA789595 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 80584921 7 Bytes JMP BA789555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 8059B19A 7 Bytes JMP BA78953F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 8059C6B6 7 Bytes JMP BA789513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805B4A28 5 Bytes JMP BA7895AB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 80655F85 7 Bytes JMP BA789529 \SystemRoot\system32\drivers\mfehidk.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [BAFF69B4] tfsnifs.sys
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [BAFF69B4] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAFF66B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAFF66B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAFF66B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAFF66B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAFF66B0] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [BAFF684C] tfsnifs.sys

---- EOF - GMER 1.0.12 ----

Moose13
2007-03-10, 09:55
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 10, 2007 2:41:05 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/03/2007
Kaspersky Anti-Virus database records: 279941
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 69290
Number of viruses found: 2
Number of infected objects: 4 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:55:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\Nero-7.7.5.1_eng_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Owner\Desktop\Nero-7.7.5.1_eng_update.exe RAR: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9D69E2DD-1C46-409C-AF21-95341DD37605}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9D69E2DD-1C46-409C-AF21-95341DD37605}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007030920070310\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NeroDemo12065\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DB6EB82E-5C1F-4557-8D4C-7E6A3880E955}\RP152\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{72507403-2AE1-4875-B057-79A7833EC918}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_11bKMThh6lzCdm9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Vzj1vxTqVCvPags Object is locked skipped
C:\WINDOWS\Temp\mcmsc_zxWAabnWCiQlKVc Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Angelfire777
2007-03-10, 13:40
Your logs look ok..Does your Earthlink program have an antivirus feature in it?

*Using Windows Explorer, find and delete these files:

C:\Documents and Settings\Owner\Desktop\Nero-7.7.5.1_eng_update.exe
C:\Documents and Settings\Owner\Local Settings\Temp\NeroDemo12065\Toolbar.exe


*delete this foldeR:

C:\Program Files\MyWaySA

Reboot and post a fresh HijackThis log.

Moose13
2007-03-10, 22:25
Logfile of HijackThis v1.99.1
Scan saved at 3:22:56 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Documents and Settings\Owner\Desktop\HJT\hjths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

Angelfire777
2007-03-11, 02:03
You didn't answer my question..


Your logs look ok..Does your Earthlink program have an antivirus feature in it?

Moose13
2007-03-11, 09:06
Sorry about that. Yes it has a spam and virus blocker. I have the spam blocker set as medium and the virus blocker enabled.

Thanks again for all your help.

Angelfire777
2007-03-11, 09:51
Hi,

You already have the McAfee Internet Suite, you do not need Earthlink anymore..McAfee itself is kind of a "bloated" kind of an internet security suite nevertheless, it's not as "bloated" and as bad as Earthlink..I recommend that you uninstall Earthlink because the slowdowns is probably because of a conflict between those 2 programs..If you do not want to uninstall Earthlink, the least you can do is disable Earthlink's Antivirus feature so you'll only have one realtime monitoring on.

tashi
2007-03-28, 17:34
Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.