View Full Version : Got zlob.dnschanger?
Wolfrider66
2007-09-02, 11:48
System is majorly slow and S&D shows that zlob.dnschanger keeps showing up. Ran Adware short scan and fixed what it could... Ran Adware full system scan and the scan freezes up when it reaches a certain point. Attempted to run Kaspersky and it also freezes up after about only 3% complete. Any help would be greatly appreciated. I did run HJT and here is the log file -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:48 AM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kbgpcpsv] rundll32.exe "C:\Program Files\vmxojytq\vcfcnyha.dll",Init
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm357YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139102916921
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1046_EN_XP.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1295AD06-F424-492D-84C1-AC72E14BF6A6}: NameServer = 85.255.116.18,85.255.112.217
O17 - HKLM\System\CCS\Services\Tcpip\..\{66FD3B2C-0123-42B8-A9BE-404D749861AA}: NameServer = 85.255.116.18,85.255.112.217
O17 - HKLM\System\CCS\Services\Tcpip\..\{735B5148-4463-4C53-8204-082594E1FE6E}: NameServer = 85.255.116.18,85.255.112.217
O17 - HKLM\System\CCS\Services\Tcpip\..\{9489EADA-E42D-4AF0-89D7-BE1F237DA51B}: NameServer = 85.255.116.18,85.255.112.217
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8BAC11C-9935-4486-9606-74CB3FFB7B79}: NameServer = 85.255.116.18,85.255.112.217
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
--
End of file - 15886 bytes
Hi Wolfrider66
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
1. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE ( http://metallica.geekstogo.com/EGDACCESS.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).
3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select EGDACCESS.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post back a fresh HijackThis log.
Post:
- a fresh HijackThis log
- fixwareout report
Wolfrider66
2007-09-02, 15:52
Shaba - Thanks for the help... Here are the first two requested logs---
FIXWAREOUT LOG
Username "Jeannie" - 09/02/2007 6:32:31 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdssn.exe"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1295AD06-F424-492D-84C1-AC72E14BF6A6}
"nameserver"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{66FD3B2C-0123-42B8-A9BE-404D749861AA}
"nameserver"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{735B5148-4463-4C53-8204-082594E1FE6E}
"nameserver"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9489EADA-E42D-4AF0-89D7-BE1F237DA51B}
"nameserver"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F8BAC11C-9935-4486-9606-74CB3FFB7B79}
"nameserver"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1295AD06-F424-492D-84C1-AC72E14BF6A6}
"DhcpNameServer"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{66FD3B2C-0123-42B8-A9BE-404D749861AA}
"DhcpNameServer"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{735B5148-4463-4C53-8204-082594E1FE6E}
"DhcpNameServer"="85.255.116.18,85.255.112.217" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F8BAC11C-9935-4486-9606-74CB3FFB7B79}
"DhcpNameServer"="85.255.116.18,85.255.112.217" <Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdssn.ren 71257 06/13/2007
C:\Program Files\DirectAccess < Found
Additional tools are recommended.
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CTSysVol"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"POINTER"="point32.exe"
"NapsterShell"="C:\\Program Files\\Napster\\napster.exe /systray"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"qhmmyvkj"="c:\\windows\\system32\\qhmmyvkj.exe qhmmyvkj"
"kbgpcpsv"="rundll32.exe \"C:\\Program Files\\vmxojytq\\vcfcnyha.dll\",Init"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:42 AM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kbgpcpsv] rundll32.exe "C:\Program Files\vmxojytq\vcfcnyha.dll",Init
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm357YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139102916921
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1046_EN_XP.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
--
End of file - 14889 bytes
Hi
Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml
Doubleclick fsbl.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
Wolfrider66
2007-09-02, 23:33
Shaba... Here is the completed FSBL -
F-Secure Blacklight Log
09/02/07 08:53:45 [Info]: BlackLight Engine 1.0.64 initialized
09/02/07 08:53:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/02/07 08:53:46 [Note]: 7019 4
09/02/07 08:53:46 [Note]: 7005 0
09/02/07 08:54:08 [Note]: 7006 0
09/02/07 08:54:08 [Note]: 7011 536
09/02/07 08:54:08 [Note]: 7026 0
09/02/07 08:54:08 [Note]: 7026 0
09/02/07 08:54:09 [Note]: 7024 3
09/02/07 08:54:09 [Info]: Hidden process: C:\windows\system32\qhmmyvkj.exe
09/02/07 08:54:21 [Note]: FSRAW library version 1.7.1022
09/02/07 09:16:27 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\msplock32.dll
09/02/07 09:16:27 [Note]: 10002 1
09/02/07 09:16:29 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\msclock32.dll
09/02/07 09:16:29 [Note]: 10002 1
09/02/07 09:16:35 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\qhmmyvkj.dat
09/02/07 09:16:35 [Note]: 10002 1
09/02/07 09:16:35 [Info]: Hidden file: C:\windows\system32\qhmmyvkj.exe
09/02/07 09:16:36 [Note]: 10002 1
09/02/07 09:16:36 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\qhmmyvkj_nav.dat
09/02/07 09:16:36 [Note]: 10002 1
09/02/07 09:16:37 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\qhmmyvkj_navps.dat
09/02/07 09:16:37 [Note]: 10002 1
09/02/07 09:16:37 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\qhmmyvkj_navup.dat
09/02/07 09:16:37 [Note]: 10002 1
09/02/07 14:31:13 [Note]: 7007 0
Hi
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.
@echo off
If exist temp.reg del /q temp.reg
echo REGEDIT4 > temp.reg
echo.>> temp.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qhmmyvkj] >> temp.reg
echo.>> temp.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] >> temp.reg
echo "qhmmyvkj"=- >> temp.reg
echo.>> temp.reg
regedit /s temp.reg
attrib -r -s -h %windir%\prefetch\qhmmyvkj.*
attrib -r -s -h %windir%\system32\qhmmyvkj_navps.*
attrib -r -s -h %windir%\system32\qhmmyvkj_nav.*
attrib -r -s -h %windir%\system32\qhmmyvkj.*
attrib -r -s -h %windir%\system32\qhmmyvkj_m2s.*
attrib -r -s -h %WINDIR%\qhmmyvkj.exe-*.pf
attrib -r -s -h %windir%\system32\msplock32.*
attrib -r -s -h %windir%\system32\msclock32.*
del /q %windir%\prefetch\qhmmyvkj.*
del /q %windir%\system32\qhmmyvkj_navps.*
del /q %windir%\system32\qhmmyvkj_nav.*
del /q %windir%\system32\qhmmyvkj.*
del /q %windir%\system32\qhmmyvkj_m2s.*
del /q %WINDIR%\qhmmyvkj.exe-*.pf
del /q %windir%\system32\msplock32.*
del /q %windir%\system32\msclock32.*
del /q temp.reg
Save it to your Desktop as naviclean.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: naviclean.bat
Doubleclick fsbl.exe, accept the agreement, click Scan, then click Next
Now click on the first item listed and click Rename
Repeat for the rest of the items listed
Click Next>
Tick the box next to I understand the warning
Click OK
Click Restart now
Click OK
Your computer will then restart
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Locate naviclean.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal
Restart
Doubleclick fsbl.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
Post:
- a fresh HijackThis log
- blacklight log
Wolfrider66
2007-09-03, 22:02
Shaba... Good afternoon, and by the way, thanks for all your help!!
Here is the fresh logs from HJT and FSBL -
Hijack This Log
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Jeannie\Desktop\fsbl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kbgpcpsv] rundll32.exe "C:\Program Files\vmxojytq\vcfcnyha.dll",Init
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm357YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139102916921
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
--
End of file - 14630 bytes
F-Secure Blacklight Log
09/03/07 12:11:58 [Info]: BlackLight Engine 1.0.64 initialized
09/03/07 12:11:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/03/07 12:11:58 [Note]: 7019 4
09/03/07 12:11:58 [Note]: 7005 0
09/03/07 12:12:01 [Note]: 7006 0
09/03/07 12:12:01 [Note]: 7011 1156
09/03/07 12:12:02 [Note]: 7026 0
09/03/07 12:12:02 [Note]: 7026 0
09/03/07 12:12:19 [Note]: FSRAW library version 1.7.1022
Hi
Looks better :)
Open HijackThis, click do a system scan only and checkmark these:
O4 - HKLM\..\Run: [kbgpcpsv] rundll32.exe "C:\Program Files\vmxojytq\vcfcnyha.dll",Init
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm357YYUS
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
Close all windows including browser and press fix checked.
Reboot.
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
Wolfrider66
2007-09-04, 22:27
Hi Shaba... Here are the two frsh reports... We must have done something right because I finally got Kaspersky to run all the way through!!:D: The logs are going to have to be sent in two or more different posts due to size... -
Kaspersky Log Page 1
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 04, 2007 12:54:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/09/2007
Kaspersky Anti-Virus database records: 403517
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 69410
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:58:19
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-09012007-021351.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\Jeannie\Application Data\MySpace\IM\Logs\MySpaceIM-Network-20070904-004810.log Object is locked skipped
C:\Documents and Settings\Jeannie\Application Data\MySpace\IM\Logs\MySpaceIm_09-04-2007-00-46-16-0218.log Object is locked skipped
C:\Documents and Settings\Jeannie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeannie\Desktop\LPSchedule8-31to9-13.xls Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Messenger\kheely66@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Messenger\kheely66@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Messenger\kheely66@msn.com\SharingMetadata\Working\database_8CD8_BCD0_D8BC_BA32\dfsr.db Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Messenger\kheely66@msn.com\SharingMetadata\Working\database_8CD8_BCD0_D8BC_BA32\fsr.log Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Messenger\kheely66@msn.com\SharingMetadata\Working\database_8CD8_BCD0_D8BC_BA32\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Messenger\kheely66@msn.com\SharingMetadata\Working\database_8CD8_BCD0_D8BC_BA32\tmp.edb Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Windows Live Contacts\KHEELY66@MSN.COM\real\members.stg Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Windows Live Contacts\KHEELY66@MSN.COM\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\History\History.IE5\MSHist012007090420070905\index.dat Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\Perflib_Perfdata_83c.dat Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF11D7.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF1C5D.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF1C7D.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF249.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF4178.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF41AF.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF4AAF.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF4AC4.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DF83AE.tmp Object is locked skipped
C:\Documents and Settings\Jeannie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeannie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeannie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{77FCC1D4-E78E-46A4-80A6-7F456FA9AC90}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7C32C567-DC0F-4C80-B06C-7873850A2E06}\setup.ilg Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\L0000054.FCS Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\L0000002.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\storydb.idx Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Jeannie.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Jeannie.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Jeannie.log Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc31\kkkv.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc31\SWAT3.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc31\WordPad.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc36\colorful me.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc36\Dell Picture Studio.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc36\Desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc36\Sample Pictures.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc36\Sloppy piece of work.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc36\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\Desktop\Federal Bureau of Investigation Home Page.url Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\activitylog.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\agreementbail.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\AUTHORIZATION OF ARREST.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\bailrecoverytest.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\BAILRECOVERYTRAIN.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\BILLING NOTICE.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\cbfe.mhp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\cbfe11.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\cbfe12.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Clientreport.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\CLOTHING.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Copy of Clientreport.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\COPYSTAMP.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\co_seal.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\co_seal2.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\CSPcorporateresume.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\CSPflyer1.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\DESKTOP.INI Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\DEVELOPING A PARAGRAPH.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\DMK Data Files\Microsoft Word\Normal.dot Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Doc16.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\EECcasebrief.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\EXIT.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\f1040sc.pdf Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\f1040sei.pdf Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\fast.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\fast.jpg Object is locked skipped
Wolfrider66
2007-09-04, 22:35
Kaspersky Log Page 2
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Bail Recovery Training.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Bail Recovery Training_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Bail Recovery Training_files\image001.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Blank Page 1.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Blank Page 1_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Blank Page 1_files\image001.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Blank Page 2.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Blank Page 2_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Blank Page 2_files\image001.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\default.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Fugitive Recovery.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Fugitive Recovery_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Fugitive Recovery_files\image001.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Investigations.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Investigations_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Investigations_files\image001.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Links.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Links_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Links_files\image001.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Personal Web Page.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Personal Web Page_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Personal Web Page_files\image001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Personal Web Page_files\image002.wmz Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Personal Web Page_files\image003.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\Personal Web Page_files\image004.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\TOCFrame.htm Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\TOCFrame_files\filelist.xml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastrac Enterprises\TOCFrame_files\image001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fastracbrochure.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\fastracbuscard.pub Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\fastracbuscard2.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\FastracEnvelope1.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\fastracFAX.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\fastracletterhead.pub Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Fees.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Freqlist.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Freqlist2.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\ftentWEB.mhp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\FUGITIVEINFO.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\FW_ Officer Safety - Handcuffs.eml Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\HARVEST LOG.xlr Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\House 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\House 002.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\i1040sc.pdf Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\IF I KNEW.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Incidentreport.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\initialcontactletter.pub Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\initialcontactletter.pub.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\INTERVIEW1.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\INTERVIEW2.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\INTERVIEW3.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\INTERVIEWS.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\INVESTIGATIONSletterhead.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\IsaihsProphecy.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\J.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\joslynscar.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\KevinResume.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\kevinresume.pub Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\law_enforcement_memorial,jpg780.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\LOGO 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\LOGO 002.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\LOGO 003.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\LOGO 004.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\logo.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Money Backup.mbf Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Money.mny Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Music\Desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\!cid_001101c1cec4$1ebe89c0$7301a8c0@amigo.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\!cid_001301c1cec4$1ebe89c0$7301a8c0@amigo.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-03-25\Picture 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-03-25\Picture 002 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-03-25\Picture 002.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-03-25\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-04-26\Suspect Photos 001 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-04-26\Suspect Photos 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-04-26\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-05-22\Picture 001 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-05-22\Picture 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-05-22\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\2002-06-09\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Bobby Williams.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Bobby Williams.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\broncohead.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Heely 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\K Heely 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\K Heely 001.PNG Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\K Heely 001a.PNG Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\LOGO\LOGO 001 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\LOGO\LOGO 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\LOGO\LOGO 002.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\LOGO\LOGO 003 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\LOGO\LOGO 003.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\LOGO\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\meck_rof.jpe Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Shawn Heely.jpg Object is locked skipped
Wolfrider66
2007-09-04, 22:39
Kaspersky Log Page 3
:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 001 (3).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 002 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 003 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 004 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 006 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 007 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 008 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 009 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 010 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 011 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 012 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 013 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 014 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 015 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 016 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 017 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 018 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 019 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 020 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 021 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 022 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 023 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 024 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 025 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 026 (3).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 027 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 028 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 029 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 030 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 031 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 031 (3).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 032 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 033 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 034 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 035 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Suspect Photos 036 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Suspect Photos\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Pictures\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Videos\Desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Videos\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\My Videos\Windows Movie Maker Sample File.wmv Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Patch 001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\PATCH.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\RECOVERYletterhead.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\recoverytraininginterest.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Security Incident Report.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\SERVICES AGREEMENT.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\shafferresume.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\spider.sav Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\stongreponse.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\succeed.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Suspect Photos 031 (2).jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\thankyou.pub Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\timboyd.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\trainingoutline.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\wanted.php Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\WebSend\RunMe.EXE Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Work 001.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Work 002.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc43\My Documents\Work 003.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-4094575798-919082819-4212676017-1010\Dc68\jesterrun1.dll Object is locked skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1691\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\netsetup.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\upnp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
C:\WINDOWS\$NtUninstallQ328940$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Wolfrider66
2007-09-04, 22:40
Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:59 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\MSAGENT\agentsvr.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139102916921
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/playerBase/kSoloIEHDSD.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
--
End of file - 13918 bytes
Hi
Delete this:
C:\Program Files\MSN Messenger\riched20.dll
Empty Recycle Bin
Otherwise looking good :)
Still problems?
Wolfrider66
2007-09-05, 16:13
Hi Shaba...
Deleted "C:\Program Files\MSN Messenger\riched20.dll" and emptied the recycle bin. I believe the system is running a little better and I haven't noticed anymore of the google redirects however I have limited my browing and usage until we had this bug fixed and knew it was safe. I have not attempted to run S&D or Ad-Aware so I don't know if zlob is still there... I also have not let Windows Live OneCare run a tune-up... I was just awaiting your further instructions. :coffee:
Hi
You can run eg. S&D scan if you like and post back its report if it finds something before my final instructions :)
Wolfrider66
2007-09-05, 21:13
Shaba,
Looks like everything is good on my end... I ran Spybot S&D and the full tune up with Windows Live OneCare and both came back clean. I have not ran Ad-Aware, but I don't rely on it anyway. I appreciate your help very much!!! Any final thoughts or instructions my friend?
Thank You!!
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can remove all tools we used.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.