View Full Version : I think I have a search engine redirect virus among others
I have several problems and need help, one is a search engine redirect, another shows as a script error when I try to print from a web page and one that says I have: Error on page. at the bottom of my IE page and another says Done, but with errors on page. I hope I have followed all instructions correctly, I also have the Line:Char:Error:Code:URL: info. for the script and error msgs. I can post if need be! I have also removed the 'Pirates Pinball program', but it stayed on the Kaspersky report.-- Thanks so much in advance for your help!
I just tried to post and it was too long. I have taken the Kaspersky report off-should I go ahead and make another post?
Thanks again!
Paula
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:24 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\system32\3DLman.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AskBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar1.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: Ask Toolbar - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3DLman.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8827] command /c del "C:\Documents and Settings\rolson\Application Data\Starware\Weather\AlertArchive.xml"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1906] cmd /c del "C:\Documents and Settings\rolson\Application Data\Starware\Weather\AlertArchive.xml"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinAccestor.exe
O8 - Extra context menu item: &Save Image to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimagetofolder.html
O8 - Extra context menu item: &Save Image to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimages.html
O8 - Extra context menu item: &Save Link to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveltof.html
O8 - Extra context menu item: &Save Link to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savelink.html
O8 - Extra context menu item: &Save Page to Folder... - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savepagetofolder.html
O8 - Extra context menu item: &Save this Page to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savewebpage.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122217943546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192384347000
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter hijack: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - C:\WINDOWS\mf787.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 12418 bytes
I decided to go ahead and post the Kaspersky report. Wouldn't you know, its too long, too! I'll post the rest as a reply! Thanks! Paula
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 05, 2008 12:42:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/03/2008
Kaspersky Anti-Virus database records: 598874
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 155956
Number of viruses found: 24
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 04:37:26
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0114caf1f05c55f43354c1fe83ba6296_4c66d28d-ba89-49b9-8904-a27d5f664876 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip/MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip/MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3CJPEG.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3DTACTL.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.z skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3HTTPCT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.t skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/MWSBAR.DLL_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/mwsoemon.exe_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/bar/1.bin/NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip/SrchAstt/1.bin/MWSSRCAS.DLL_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch42.zip ZIP: infected - 23 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch5.zip/MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/1.bin/F3HTMLMU.DLL_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/1.bin/M3HTML.DLL_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/1.bin/MWSBAR.DLL_tobedeleted_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/1.bin/mwsoemon.exe_tobedeleted_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/1.bin/MWSOESTB.DLL_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3BROVLY.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3HTTPCT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3SHLLVW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/M3MSG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/bar/2.bin/NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/SrchAstt/1.bin/MWSSRCAS.DLL_tobedeleted_tobedeleted Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip/SrchAstt/2.bin/MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch96.zip ZIP: infected - 30 skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinAccestor.exe Infected: Trojan-Downloader.Win32.Adload.lc skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Paula\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Paula\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\Paula\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Paula\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Paula\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Paula\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paula\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paula\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Paula\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\rolson\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\rolson\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\sydney\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\sydney\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\Walker Hill Creation\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Walker Hill Creation\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
pskelley
2008-03-07, 18:04
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Hi Paula, if you stil need help, I am wondering why you did not post the rest of Kaspersky?
Wouldn't you know, its too long, too! I'll post the rest as a reply! Thanks! Paula
This trojan: WinAccestor.exe ------> Trojan-Downloader.Win32.Adload.lc
Is a new one on me and running from Startup. I have no way of knowing if more information is in the part of the Kaspersky scan you did not post?
When you post any error messages, they must be exact, word for word, I can not research them if they are not.
So...I have to proceed with a lack of knowledge.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
Let's proceed like this.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
3) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
I reread the before you post instructions and it stressed that I should post no more than two posts in my topic and I also read that if there were more posts, then the volunteers (helper gods!!!!) would assume I was being helped by someone else. So, I'm sorry, I wasnt sure. Here is the rest of the Kaspersky scanner report....
Should I follow your instructions now or wait until you look through the rest of this report? I don't want to do anything wrong...
Oh, and I recopied the last line from before, so it is clear that this is the rest of the report...
Thanks, so much for your help.
Paula
C:\Documents and Settings\Walker Hill Creation\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\10_panda.prc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\20_player.prc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\codecs.py Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\codecs.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\copy.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\copy_reg.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\dospath.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\encodings\ascii.py Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\encodings\__init__.py Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\encodings\__init__.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\errorlog.txt Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\expat.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\fmod.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\freetype6.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\ihooks.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\imputil.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\INSTALL.LOG Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libdirect.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libdtool.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libdtoolconfig.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libeay32.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libfmod_audio.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libframework.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libheapq.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libjpeg.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libnspr4.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpanda.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandadx7.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandadx8.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandadx9.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandaegg.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandaexpress.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandafx.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandagl.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpandaphysics.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpng12.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libptloader.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libpystub.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libtiff.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\libwindisplay.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\linecache.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\lp.bmp Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\msvcp71.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\msvcr71.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\ntpath.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\ode.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\os.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PandaAssets.mf Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pinball.dat Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PinballPalace\PinballPalace.mf Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PinballPalace\PinballPalace.prc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PinballPalace\PinballPalaceModules.pyz Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PinballPalaceModules.py Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PinballPalaceModules.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PiratePinball.exe Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pirates.ico Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pirates16.ico Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pirates32.ico Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\popen2.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\posixpath.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pre.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pyexpat.pyd Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\python22.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PythonPandaGameModules.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PythonPandaModules.pyz Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\PythonPandaSupportModules.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\pythonw.exe Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\re.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\repr.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\shutil.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\sre.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\sre_compile.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\sre_constants.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\sre_parse.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\ssleay32.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\stat.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\string.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\support.py Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\traceback.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\types.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\UNWISE.EXE Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\UserDict.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\zlib.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\zlib.pyd Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\zlib1.dll Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\_pyode.pyd Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\_socket.pyd Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\_sre.pyd Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\_winreg.pyd Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\__future__.pyc Object is locked skipped
C:\Program Files\Disney\Disney Online\Pirates of the Caribbean Pinball\__main__.py Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp\bin\Starware.dll Infected: not-a-virus:AdWare.Win32.Comet.av skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8B313BB6-1AB3-4CB0-A3AA-5972D28DE2BA}\RP917\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\mf557E.dll Infected: Trojan-PSW.Win32.Agent.qt skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET328A.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WinAccestor.exe Infected: Trojan-Downloader.Win32.Adload.lc skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Again, I wasn't sure what I should post exactly, even though the "BEFORE YOU POST.." is very clear and explicit, you'll please forgive me, I'm a (late) middle aged stay at mom, and I have "mom brain" and don't function like the rest of the world sometimes!!
The error message: Done, but with errors on page.
Line:82
Char:1011
error: 'fetchcooki' is undefined
Code: 0
URL: http://support.microsoft.com/kp/306831/en-us
and the one that says: An error has occurred in the script on this page. Do you want to continue running scripts on this page? Y or N (this is the one that won't allow me to print from a web site.)
Line: 1700
Char: 42
Error: Syntax Error
Code: 0
URL: res://ie frames.dll/preview.dlg
I think this is all I have--If you need anything else, please let me know???
Paula
pskelley
2008-03-08, 02:59
Thanks for returning your information and the feedback. You can start looking through this information:
http://support.microsoft.com/kb/306831
http://support.microsoft.com/kb/183808
This is not what I do, I remove malware and will do my best to provide you with information. My guess is that you are running one or more programs that have poorly written script and this is causing the error messages. Hopefully the links from Microsoft will provide an answer for you.
What I need at this point is:
Post the combofix log and a new HJT log.
Thanks
ComboFix 08-03-10.1 - Paula 2008-03-10 12:56:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.630 [GMT -5:00]
Running from: C:\Documents and Settings\Paula\Local Settings\Temporary Internet Files\Content.IE5\BDND6J3F\ComboFix[1].exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.
2008-03-05 16:31 . 2008-03-05 16:31 396,288 --a------ C:\HijackThis.exe
2008-03-04 18:43 . 2008-03-04 18:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-04 18:43 . 2008-03-04 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 11:40 . 2008-03-04 11:38 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-04 11:40 . 2008-03-04 11:40 2,542 --a------ C:\WINDOWS\unins000.dat
2008-02-28 13:45 . 2008-02-28 13:46 <DIR> d-------- C:\Program Files\iTunes
2008-02-28 13:45 . 2008-02-28 13:45 <DIR> d-------- C:\Program Files\iPod
2008-02-24 14:35 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-24 14:35 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-24 14:35 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-24 14:35 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-24 14:35 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-24 14:35 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-24 14:35 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-24 14:35 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-24 14:35 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-24 14:34 . 2008-02-24 14:34 759 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-18 16:10 . 2008-02-29 20:31 <DIR> d-------- C:\Program Files\AskBar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 20:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 18:29 --------- d-----w C:\Program Files\QuickTime
2008-02-26 23:02 --------- d-----w C:\Program Files\Quicken
2008-01-22 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 20:06 --------- d-----w C:\Documents and Settings\Paula\Application Data\BloodTies
2008-01-12 18:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-12 18:36 --------- d-----w C:\Program Files\ItsDeductible2006
2008-01-12 18:36 --------- d-----w C:\Program Files\bfgclient
2008-01-11 23:31 --------- d--h--r C:\Documents and Settings\Walker Hill Creation\Application Data\yahoo!
2006-01-10 02:20 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-12-15 13:44 229,866,800 -c----w C:\Program Files\RoxioEMCContentCDv8.05_efisdj.exe
2005-12-14 23:27 475,177,083 -c----w C:\Program Files\RoxioEMCSuitev8.05_efisd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49 4662776]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:29 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser MOUSE\mouse32a.exe" [2005-08-03 17:33 360448]
"3Dlabs Taskbar Display Manager"="C:\WINDOWS\system32\3DLman.exe" [2001-10-23 05:07 187904]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-11-22 10:34 163840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-07-24 13:37 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-07-24 13:37 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 19:49 397312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-17 13:05 64000]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 18:58 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
WinAccestor.exe [2007-09-24 17:45:35 84480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1128025141\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-11-21 22:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe"=
"C:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=
R3 glint;glint;C:\WINDOWS\system32\DRIVERS\glintMP.sys [2001-10-23 05:03]
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 10:00]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []
S3 lredbooo;lredbooo;C:\DOCUME~1\sydney\LOCALS~1\Temp\lredbooo.sys [2001-09-20 00:23]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 23:02:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-03 23:47:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\WinAccestor.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 13:03:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-10 13:06:09
.
2008-03-04 15:56:19 --- E O F ---
I suppose I'll get this right yet. the first time I didn't save it to my desktop-I just used the 'Run' option from the window. Hope that didn't mess anything up.p
ComboFix 08-03-10.1 - Paula 2008-03-10 13:16:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.585 [GMT -5:00]
Running from: C:\Documents and Settings\Paula\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.
2008-03-05 16:31 . 2008-03-05 16:31 396,288 --a------ C:\HijackThis.exe
2008-03-04 18:43 . 2008-03-04 18:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-04 18:43 . 2008-03-04 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 11:40 . 2008-03-04 11:38 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-04 11:40 . 2008-03-04 11:40 2,542 --a------ C:\WINDOWS\unins000.dat
2008-02-28 13:45 . 2008-02-28 13:46 <DIR> d-------- C:\Program Files\iTunes
2008-02-28 13:45 . 2008-02-28 13:45 <DIR> d-------- C:\Program Files\iPod
2008-02-24 14:35 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-24 14:35 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-24 14:35 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-24 14:35 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-24 14:35 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-24 14:35 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-24 14:35 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-24 14:35 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-24 14:35 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-24 14:34 . 2008-02-24 14:34 759 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-18 16:10 . 2008-02-29 20:31 <DIR> d-------- C:\Program Files\AskBar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 20:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 18:29 --------- d-----w C:\Program Files\QuickTime
2008-02-26 23:02 --------- d-----w C:\Program Files\Quicken
2008-01-22 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 20:06 --------- d-----w C:\Documents and Settings\Paula\Application Data\BloodTies
2008-01-12 18:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-12 18:36 --------- d-----w C:\Program Files\ItsDeductible2006
2008-01-12 18:36 --------- d-----w C:\Program Files\bfgclient
2008-01-11 23:31 --------- d--h--r C:\Documents and Settings\Walker Hill Creation\Application Data\yahoo!
2006-01-10 02:20 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-12-15 13:44 229,866,800 -c----w C:\Program Files\RoxioEMCContentCDv8.05_efisdj.exe
2005-12-14 23:27 475,177,083 -c----w C:\Program Files\RoxioEMCSuitev8.05_efisd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49 4662776]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:29 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser MOUSE\mouse32a.exe" [2005-08-03 17:33 360448]
"3Dlabs Taskbar Display Manager"="C:\WINDOWS\system32\3DLman.exe" [2001-10-23 05:07 187904]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-11-22 10:34 163840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-07-24 13:37 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-07-24 13:37 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 19:49 397312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-17 13:05 64000]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 18:58 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
WinAccestor.exe [2007-09-24 17:45:35 84480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1128025141\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-11-21 22:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe"=
"C:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=
R3 glint;glint;C:\WINDOWS\system32\DRIVERS\glintMP.sys [2001-10-23 05:03]
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 10:00]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []
S3 lredbooo;lredbooo;C:\DOCUME~1\sydney\LOCALS~1\Temp\lredbooo.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 23:02:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-03 23:47:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\WinAccestor.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 13:20:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-10 13:23:03
ComboFix2.txt 2008-03-10 18:06:11
.
2008-03-04 15:56:19 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:15 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\system32\3DLman.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\explorer.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AskBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar1.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: Ask Toolbar - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3DLman.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinAccestor.exe
O8 - Extra context menu item: &Save Image to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimagetofolder.html
O8 - Extra context menu item: &Save Image to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimages.html
O8 - Extra context menu item: &Save Link to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveltof.html
O8 - Extra context menu item: &Save Link to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savelink.html
O8 - Extra context menu item: &Save Page to Folder... - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savepagetofolder.html
O8 - Extra context menu item: &Save this Page to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savewebpage.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122217943546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192384347000
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 11884 bytes
pskelley
2008-03-10, 21:15
Thanks for returning your information, not a lot showing. First let's fix HJT, you have it here:
C:\HijackThis.exe <<< return there and right click on a blank spot and make a NEW FOLDER. Name it HJT. Move the log that is there and the HJT.exe into that folder. Backups for safety will also store in there and it will look like this:
C:\HJT\HijackThis.exe
Please read this: http://www.castlecops.com/clsid-25096.html
and this: http://www.benedelman.org/spyware/installations/askjeeves-banner/
I suggest you remove that junk from your computer, it is your call.
1) C:\Program Files\Java\jre1.5.0_06\ <<< Java is out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: AskBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar1.dll
O3 - Toolbar: Ask Toolbar - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar1.dll
O4 - Global Startup: WinAccestor.exe
O8 - Extra context menu item: &Save Image to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimagetofolder.html
O8 - Extra context menu item: &Save Image to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimages.html
O8 - Extra context menu item: &Save Link to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveltof.html
O8 - Extra context menu item: &Save Link to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savelink.html
O8 - Extra context menu item: &Save Page to Folder... - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savepagetofolder.html
O8 - Extra context menu item: &Save this Page to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savewebpage.html
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/z...ploader_v5.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Right click Start > Explore and navigate to these files/folders and delete them if there.
(delete the file in red)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinAccestor.exe
C:\Program Files\Yahoo!\YPSR\Quarantine\ <<< delete the contents
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\mf557E.dll
C:\WINDOWS\WinAccestor.exe
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log and some feedback.
Thanks
Okay, I've done each step and everything went exactly as described, only on step 4 some of the line items weren't there. All of the ones that weren't there seemed to be related to the Ask toolbar, and I had already removed it using the Remove/update option when I removed the old version of Java. Also, a couple of the items in step 5 weren't there either. If you would like to know the names of these files, let me know!
I also went to the website you referred me to for the error messages and hopefully have fixed that problem!
Thanks for your help and I'm ready for the next step!
Paula
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:46 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\system32\3DLman.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3DLman.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122217943546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192384347000
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 10846 bytes
pskelley
2008-03-11, 00:21
The HJT log looks good, how is the computer running?
Have a look at this information. I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
Thanks
Now what do I do? it scanned my system and found over 500 problems. I didn't fix them yet, it kind of startled me, so here I am back to ask for your opinion on what I should do. I trust what you say--my computer seems to running smoother than it has for a while! and the fixes from MS links you recommended have apparently cleared up the error messages, particularly in regard to printing directly from a web page. Yea!!!!! You're my new hero!
Paula
pskelley
2008-03-11, 00:53
Now what do I do? it scanned my system and found over 500problemsYou have me puzzled, even your original Kaspersky scan showed only 66 items and the vast majority of those were junk being stored in Spybot S&D's Removery folder.
combofix located nothing when we scanned with it? You are going to have to tell me what program you are finding this with and what you are finding? Please post that information.
If you are talking about Recovery Console, it is a tool to help you recover from a major failure of your system. I have no idea how you could have scanned anything with it or what the results even mean. I sure do not see any instructions for scanning with it in the information I posted for you?
Thanks
I am sooooo sorry! I clicked on the link you provided me and at the top was (I guess) an advertisement for Uniblue Registry Booster. Being the total dork I am, I supposed it was the recovery console. So, I downloaded it and it found 528 registry errors. I then went to the tutorials section of bleeping computer where I started reading about recovery console--I was really confused until I saw your reply and realized what a totally bleeping doofus I really am. I'm sorry to waste your valuable time and hope you will forgive my stupid mistake!?!
bleeping paula
But I don't have my windows XP CDs. Have i not read enough yet to get around that?
pskelley
2008-03-11, 01:26
Open this link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
and start reading here: How to install and use the Windows XP Recovery Console
read this: If on the other hand, you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:
Then carefully continue with the simple instruction to use combofix to install the Recovery Console.
Thanks
Thanks again for your patience! Here is the info from the notepad:
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
What next?
pskelley
2008-03-11, 12:59
You may remove combofix from your computer knowing in the event of a major issue you have Recovery Console on board to help you recover from it.
Not a great fan of registry cleaners, if you have need of one, this is a good free one that is user friendly.
http://www.hoverdesk.net/freeware.htm
I caution you to NEVER do anything in the registry without making a BACKUP first.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
I still fell like I'm exposed.....I will read all the material you linked for me. I really appreciate all your help, patience and knowledge! Will this complete our interaction? or is there something else I should do?
Paula
pskelley
2008-03-11, 22:57
I still fell like I'm exposed
I am not quite sure what that means? Unless you have some reason for me to think you have a malware problem, I would say safe surfing.
or is there something else I should do?
I suggest you read and follow the advice I posted for you from some of the most respected folks in malware removal/security.
Thanks