PDA

View Full Version : Slowdowns and Pop-ups Possibly Due to Spyware



Hemlocke
2008-06-06, 10:54
Hi everybody. I'm trying to fix my dad's computer. It's very slow and there seems to be a lot of pop-ups whenever using Internet Explorer. I think it's due to spyware and possibly viruses. I did a kaspersky scan and about 6 or 7 viruses showed up and when I ran Spybot several adware/spyware programs showed up. Here's the HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:53 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =

http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed

Online
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://webmail.adelphia.net/webedge"); (C:\Documents and Settings\JACKSON

CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");

(C:\Documents and Settings\JACKSON CONFER\Application

Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program

Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [YBu4RXi7O] wzcatcha.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money

Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money

Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money

Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money

Express.exe" (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~6\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: MindSpring - {A7A40980-E4A1-11D4-B68A-000086400686} - c:\Program

Files\MindSpring 4.0\MID4.EXE (file missing) (HKCU)
O9 - Extra button: Dell Home - {E1A55500-9C4D-11D3-B689-10B54FC10000} - http://www.dell.com/

(file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTim

eInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E301E220-177F-4047-A70B-9586B5EE1DEB}: Domain =

mindspring.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner -

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common

Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file

missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8807 bytes


Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 05, 2008 8:39:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/06/2008
Kaspersky Anti-Virus database records: 832763
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 73951
Number of viruses found: 30
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 02:51:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\Fantasy Access-uninstall.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\BO2202031216.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d skipped
C:\WINDOWS\SYSTEM32\SHAgentNew.dll Infected: not-a-virus:AdWare.Win32.Sahat.g skipped
C:\WINDOWS\SYSTEM32\Xcite.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\WINDOWS\SYSTEM32\Xcite2.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\WINDOWS\SYSTEM32\ezStub3.dll Infected: not-a-virus:AdWare.Win32.EZula.cp skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\AStart.exe Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\Program Files\Netscape\Netscape\plugins\npzango.dll Infected: not-a-virus:AdWare.Win32.WinAD.aw skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jackson Confer\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab CAB: infected - 2 skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\Perflib_Perfdata_3fc.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\temp.fr801E Infected: not-a-virus:AdWare.Win32.BiSpy.o skipped
C:\Documents and Settings\Jackson Confer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\WHYNCNSR\script[1].htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\VWOND949\asmfiles[1].cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\VWOND949\asmfiles[1].cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\VWOND949\asmfiles[1].cab CAB: infected - 2 skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\OUJYMKFA\script[2].htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip/Beyond.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip/VerifierBug.class Infected: Trojan.Java.Needy.c skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-2e8f809-111adab3.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-2e8f809-111adab3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2d653d3a.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2d653d3a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-550a77cc.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-550a77cc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205/OwnClassLoader.class Infected: Trojan.Java.ClassLoader.au skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205 ZIP: infected - 3 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\25\2138d899-236eb5f6/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\25\2138d899-236eb5f6 ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-64dfe894/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-64dfe894 ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-216864be/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-216864be ZIP: infected - 1 skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212822.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212825.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212826.dll Infected: not-a-virus:AdWare.Win32.Altnet.x skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212827.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212828.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212829.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212830.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212831.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212833.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212835.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP789\change.log Object is locked skipped

Scan process completed.

Shaba
2008-06-07, 12:34
Hi Hemlocke

The formatting of your post is messed up. This is caused by having Word Wrap checked.
1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears unchecked.

After that, please post back a fresh HijackThis log :)

Hemlocke
2008-06-08, 13:05
Ok, let's try this again.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:33 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webmail.adelphia.net/webedge"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [YBu4RXi7O] wzcatcha.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: MindSpring - {A7A40980-E4A1-11D4-B68A-000086400686} - c:\Program Files\MindSpring 4.0\MID4.EXE (file missing) (HKCU)
O9 - Extra button: Dell Home - {E1A55500-9C4D-11D3-B689-10B54FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E301E220-177F-4047-A70B-9586B5EE1DEB}: Domain = mindspring.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8806 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 05, 2008 8:39:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/06/2008
Kaspersky Anti-Virus database records: 832763
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 73951
Number of viruses found: 30
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 02:51:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\Fantasy Access-uninstall.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\BO2202031216.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d skipped
C:\WINDOWS\SYSTEM32\SHAgentNew.dll Infected: not-a-virus:AdWare.Win32.Sahat.g skipped
C:\WINDOWS\SYSTEM32\Xcite.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\WINDOWS\SYSTEM32\Xcite2.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\WINDOWS\SYSTEM32\ezStub3.dll Infected: not-a-virus:AdWare.Win32.EZula.cp skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\AStart.exe Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\Program Files\Netscape\Netscape\plugins\npzango.dll Infected: not-a-virus:AdWare.Win32.WinAD.aw skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jackson Confer\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab CAB: infected - 2 skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\Perflib_Perfdata_3fc.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\temp.fr801E Infected: not-a-virus:AdWare.Win32.BiSpy.o skipped
C:\Documents and Settings\Jackson Confer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\WHYNCNSR\script[1].htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\VWOND949\asmfiles[1].cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\VWOND949\asmfiles[1].cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\VWOND949\asmfiles[1].cab CAB: infected - 2 skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Temporary Internet Files\Content.IE5\OUJYMKFA\script[2].htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jackson Confer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-238ada3c-46a61670.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip/Beyond.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip/VerifierBug.class Infected: Trojan.Java.Needy.c skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-69b00b99-3d0fd374.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Jackson Confer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-26835cc3-73dbf50e.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-2e8f809-111adab3.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-2e8f809-111adab3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2d653d3a.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2d653d3a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-550a77cc.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-550a77cc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205/OwnClassLoader.class Infected: Trojan.Java.ClassLoader.au skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205 ZIP: infected - 3 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\25\2138d899-236eb5f6/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\25\2138d899-236eb5f6 ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-64dfe894/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-64dfe894 ZIP: infected - 1 skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-216864be/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-216864be ZIP: infected - 1 skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212822.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212825.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212826.dll Infected: not-a-virus:AdWare.Win32.Altnet.x skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212827.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212828.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212829.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212830.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212831.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212833.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212835.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP789\change.log Object is locked skipped

Scan process completed.

Shaba
2008-06-08, 13:07
Hi

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

Hemlocke
2008-06-10, 00:52
Main.txt:

Deckard's System Scanner v20071014.68
Run by Jackson Confer on 2008-06-09 14:41:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-06-09 21:42:26 UTC - RP792 - Deckard's System Scanner Restore Point
19: 2008-06-08 09:22:05 UTC - RP791 - System Checkpoint
18: 2008-06-07 06:42:47 UTC - RP790 - System Checkpoint
17: 2008-06-06 02:41:26 UTC - RP789 - System Checkpoint
16: 2008-06-05 02:29:21 UTC - RP788 - Removed Road Runner Medic


-- First Restore Point --
1: 2008-03-28 18:05:55 UTC - RP773 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 127 MiB (512 MiB recommended).


-- HijackThis (run as Jackson Confer.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:25 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jackson Confer\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jackson Confer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webmail.adelphia.net/webedge"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [YBu4RXi7O] wzcatcha.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: MindSpring - {A7A40980-E4A1-11D4-B68A-000086400686} - c:\Program Files\MindSpring 4.0\MID4.EXE (file missing) (HKCU)
O9 - Extra button: Dell Home - {E1A55500-9C4D-11D3-B689-10B54FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E301E220-177F-4047-A70B-9586B5EE1DEB}: Domain = mindspring.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8812 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,14
.reg - regfile - DefaultIcon - c:\windows\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,13


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R1 NPPTNT - c:\windows\system32\npptnt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>

S2 HPFECP13 - c:\windows\system32\drivers\hpfecp13.sys
S3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 npkcrypt - c:\program files\softnyx\gunbound\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
S3 npkcusb - c:\program files\softnyx\gunbound\npkcusb.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 AOL ACS (AOL Connectivity Service) - c:\progra~1\common~1\aol\acs\acsd.exe (file missing)
S2 iPodSrv - c:\program files\ipod\bin\ipodsrv.exe (file missing)
S2 npkcsvc - c:\windows\system32\npkcsvc.exe <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Service>
S4 Iomega Activity Disk2 - ""


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\MGMT201\1
Manufacturer:
Name:
PNP Device ID: ACPI\MGMT201\1
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\MGMT201\2
Manufacturer:
Name:
PNP Device ID: ACPI\MGMT201\2
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\MGMT181\3&61AAA01&0
Manufacturer:
Name:
PNP Device ID: ACPI\MGMT181\3&61AAA01&0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\MGMT182\1
Manufacturer:
Name:
PNP Device ID: ACPI\MGMT182\1
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-09 09:54:02 258 --a------ C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job
2008-06-04 23:00:04 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-05 20:43:50 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-05 20:43:50 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-05 20:43:50 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-05 20:43:50 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-05 20:43:50 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-05 20:43:50 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-05 20:43:50 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-05 20:43:50 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-05 20:43:49 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-05 20:43:48 1572864 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-06-04 23:25:40 0 d-------- C:\Program Files\Trend Micro
2008-06-04 19:58:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 19:58:41 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBu4RXi7O"="wzcatcha.exe" []
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/01/2007 06:53 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cBZ1euXgc]
C:\documents and settings\jackson confer\local settings\temp\cBZ1euXgc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB006" /M "Stylus C88"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MEDIC]
"C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nupeii]
C:\WINDOWS\System32\vticab.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps5Q37O]
umapy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CHotKey"=Webster.exe
"SvcButton"=c:\windows\service.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"MotiveMonitor"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\motmon.exe
"madexe"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"AccessRampMonitor"=C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"RegShave"=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60a1ac0-c8bb-11dc-aef7-00038a000015}]
AutoRun\command- E:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- Hosts -----------------------------------------------------------------------

127.0.0.1 downloads.aaa1screensavers.com #[Bargin Buddy]
127.0.0.1 dl.aaascreensavers.com
127.0.0.1 abcsearch.com
127.0.0.1 admin.abcsearch.com
127.0.0.1 www3.abcsearch.com #[Browseraid]
127.0.0.1 www.abcsearch.com
127.0.0.1 abc517.net #[Trojan.Mitglieder.H]
127.0.0.1 absoluagency.com #[Trojan.StartPage.H]
127.0.0.1 acestats.com
127.0.0.1 www.acestats.com

13625 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-09 14:50:39 ------------

extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 126.3 MiB / 31.54 MiB
Pagefile Memory (total/avail): 307.54 MiB / 120.01 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.27 MiB

C: is Fixed (FAT32) - 12.11 GiB total, 2.56 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - QUANTUM FIREBALL CX13.0A - 12.12 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 12.12 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.4\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.4\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Q3Ademo\\quake3.exe"="C:\\Q3Ademo\\quake3.exe:*:Enabled:quake3"
"C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Trial\\Game\\battlegrounds_trial.exe"="C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Trial\\Game\\battlegrounds_trial.exe:*:Enabled:Star Wars Galactic Battlegrounds"
"C:\\Program Files\\Infogrames\\Civilization III\\Civilization3.exe"="C:\\Program Files\\Infogrames\\Civilization III\\Civilization3.exe:*:Enabled:Civilization3"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\khost.exe:*:Enabled:Secure Delivery Plug-In"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Kazaa Lite Revolution\\kazaalite.kpp"="C:\\Program Files\\Kazaa Lite Revolution\\kazaalite.kpp:*:Enabled:kazaalite"
"C:\\Program Files\\Yahoo! Games\\BeTrapped!\\BeTrapped.exe"="C:\\Program Files\\Yahoo! Games\\BeTrapped!\\BeTrapped.exe:*:Enabled:BeTrapped Game Executable"
"C:\\Program Files\\softnyx\\GunBound\\GunBound.exe"="C:\\Program Files\\softnyx\\GunBound\\GunBound.exe:*:Enabled:GunBound Startup Application"
"C:\\Program Files\\softnyx\\GunBound\\GunBound.gme"="C:\\Program Files\\softnyx\\GunBound\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Steam\\SteamApps\\jiveturkey5658\\day of defeat\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\jiveturkey5658\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\jiveturkey5658\\half-life\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\jiveturkey5658\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\jiveturkey5658\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\jiveturkey5658\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Unreal Tournament\\Unreal Tournament\\System\\UnrealTournament.exe"="C:\\Unreal Tournament\\Unreal Tournament\\System\\UnrealTournament.exe:*:Enabled:UnrealTournament"
"C:\\Civilization III Gold Edition\\Civ3PTW\\Civilization3x.exe"="C:\\Civilization III Gold Edition\\Civ3PTW\\Civilization3x.exe:*:Enabled:Civilization3X"
"C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"="C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe:*:Enabled:lh"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\jiveturkey5658\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\jiveturkey5658\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\System32\\dlbccoms.exe"="C:\\WINDOWS\\System32\\dlbccoms.exe:*:Enabled:Photo Printer 720 Server"
"C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"="C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp:*:Enabled:kazaalite"
"C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jackson Confer\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WEBPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jackson Confer
LOGONSERVER=\\WEBPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JACKSO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JACKSO~1\LOCALS~1\Temp
USERDOMAIN=WEBPC
USERNAME=Jackson Confer
USERPROFILE=C:\Documents and Settings\Jackson Confer
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mitchell Confer (admin)
Jackson Confer (admin)
Jerry Casillas (admin)
Nancy Casillas (admin)
Administrator (new local, admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\SMUninst.ins
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B10CE30-4316-11D0-86A0-00C0F003261B}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.23 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
Batch Assistant --> "C:\Program Files\scbar\v2\scbar.exe" /R H
Bink and Smacker --> C:\PROGRA~1\RADVIDEO\UNWISE.EXE C:\PROGRA~1\RADVIDEO\INSTALL.LOG
CombiMovie Version 1.3 --> "C:\Program Files\bobyte\CombiMovie\unins000.exe"
CombiMovie version 2 --> C:\PROGRA~1\COMBIM~1\UNWISE.EXE C:\PROGRA~1\COMBIM~1\INSTALL.LOG
Data Compiler --> "C:\Program Files\scbar\v2\scbar.exe" /R F
DelFin Media Viewer --> C:\WINDOWS\unvise32.exe C:\Program Files\DelFin\PromulGate\uninstal.log
Dellnet Signup --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Dellnet\DeIsL1.isu" -c"C:\Program Files\Dellnet\_ISREG32.DLL"
DivX Player --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Player\uninstal.log
DivX Pro Codec Adware --> C:\WINDOWS\unvise32.exe C:\DivX\DivX Pro Codec Adware\UninstalDivXProCodecAdware.log
EAX(tm) Unified (SHELL) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative Labs\EAX(tm) Unified (SHELL)\Uninst.isu"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Exif Launcher Ver.1.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Exif Launcher\Uninst.isu"
Exif Viewer Ver.1.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Exif Viewer\Uninst.isu"
FTapp (remove only) --> "c:\Program Files\flcp\uninst.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP DeskJet 710C Series (Remove only) --> C:\Program Files\HP DeskJet 710C Series\hpfiui.exe -c -vdivid=HPF -vpnum=13 -vproduct=710C -huninstall
i-Learn My WebPC --> UnIns.exe
Imation Copy SuperDisk --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Imation\Copy SuperDisk\Uninst.isu"
Indexing Function --> "C:\Program Files\scbar\v2\scbar.exe" /R S
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\SYSTEM\CDUninst.isu
Intel® 810 Chipset Graphic Driver End User Diagnostics Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\GfxDrvEUD\Uninst.isu"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Iomega DVD wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C53CCE8A-8DEE-4E2C-8A4D-425F0FF70471}\Setup.exe" -l0x9
iScrobbler --> C:\Program Files\iTunes\UninstalliScrobble.exe
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{872653C6-5DDC-488B-B7C2-CF9E4D9335E5} /l1033
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KodeWize --> C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\KodeWize\ST5UNST.LOG"
Last.fm Player 1.0.4 --> "C:\Program Files\Last.fm Player\unins000.exe"
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta 97 Encyclopedia --> C:\WINDOWS\unenc97.exe
Microsoft Home Publishing 2000 --> MsiExec.exe /I{9944aa9e-362d-11d3-81ab-00c04fb932ba}
Microsoft IntelliPoint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Hardware\Mouse\Uninst.isu" -c"C:\Program Files\Microsoft Hardware\Mouse\Uninstal.dll"
Microsoft Office XP Standard --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 2000 --> MsiExec.exe /I{A586D09E-1D2C-11D3-9A6B-00105A98B681}
Microsoft PowerPoint Viewer 97 --> C:\Program Files\PowerPoint Viewer\setup\setup.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Microsoft Works 2000 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2000\Setup\Launcher.exe D:\
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla (1.7.11) --> C:\WINDOWS\MozillaUninstall.exe /ua "1.7.11 (en)"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
MUSICMATCH iPod Plug-in --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{146ED22B-BC11-4017-BBE8-E393848AA92A}\setup.exe" -l0x9 FromAddRemove
Natural Selection --> C:\WINDOWS\ns_uninstall.exe
Need2Find Bar --> rundll32 C:\PROGRA~1\NEED2F~1\bar\1.bin\Nd2fnBar.dll,O
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Netzip Download Demon --> C:\Program Files\Netzip Download Demon\NETZIP DOWNLOAD DEMON.EXE -u
nProtect KeyCrypt --> C:\WINDOWS\System32\npkuninst.exe
PCFriendly --> C:\program files\PCFriendly\inuninst.exe
Peer Points Manager --> "C:\Program Files\Altnet\Download Manager\AltnetUninstall.exe" -m
PhoneTools --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\PhoneTools\Uninst.isu" -c"C:\Program Files\PhoneTools\uninst.dll
PingPlotter --> C:\PROGRA~1\PINGPL~1\UNWISE.EXE C:\PROGRA~1\PINGPL~1\INSTALL.LOG
Pool 'm Up --> C:\PROGRA~1\POOL'M~1\UNINSTALL\UNINSTALL.EXE C:\PROGRA~1\POOL'M~1\UNINSTALL\INSTALL.LOG
QuickLatin 1.2.9 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Quick Latin\ST6UNST.LOG"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RoadRunner --> MsiExec.exe /I{A73EFA95-4872-4AE3-8EE9-10D2E2D713CF}
SBM OS --> "C:\Program Files\scbar\v2\scbar.exe" /R B
Search OS --> "C:\Program Files\scbar\v2\scbar.exe" /R E
Shockwave --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\INSTALL.LOG
Shutterfly SmartUpload --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC0EDFA8-7700-11D5-9B6C-00601D22E8EA}\SETUP.EXE"
Sierra Account Wizard --> C:\PROGRA~1\COMMON~1\SIERRA~1\ACCOUN~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\SIERRA~1\ACCOUN~1\INSTALL.LOG
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
Software CineMaster 99 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ravisent\DVD Player\Uninst.isu"
Sonic CinePlayer --> MsiExec.exe /X{26792CA7-D87A-4DBE-896B-C2F66B344511}
SoundMAXWDM --> C:\WINDOWS\SYSTEM\ADIOUT.BAT
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TP HTTP --> "C:\Program Files\scbar\v2\scbar.exe" /R W
URL.IE APP --> "C:\Program Files\scbar\v2\scbar.exe" /R I
VideoLAN VLC media player 0.7.2 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Word in Works Suite add-in --> MsiExec.exe /I{0DB93918-2A77-11D3-805A-00C04FA329AA}
World Watch --> MsiExec.exe /I{5D80C95B-80B7-11D3-B9A5-00AA0060BCC8}
Yahoo! extras --> C:\PROGRA~1\YAHOO!\COMMON\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\YMMAPI~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\YAHOO!\COMMON\unyt.exe
YAMAHA SoftSynthesizer S-YG20 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\DeIsL2.isu -c"C:\WINDOWS\SYSTEM32\sxgunins.dll


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2477156 / Error
Event Submitted/Written: 06/09/2008 02:35:28 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The iPodSrv service failed to start due to the following error:
%%2

Event Record #/Type2477155 / Error
Event Submitted/Written: 06/09/2008 02:35:28 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AOL Connectivity Service service failed to start due to the following error:
%%3

Event Record #/Type2477138 / Error
Event Submitted/Written: 06/09/2008 09:47:30 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The iPodSrv service failed to start due to the following error:
%%2

Event Record #/Type2477137 / Error
Event Submitted/Written: 06/09/2008 09:47:30 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AOL Connectivity Service service failed to start due to the following error:
%%3

Event Record #/Type2477119 / Error
Event Submitted/Written: 06/08/2008 06:36:31 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The iPodSrv service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-09 14:50:39 ------------

Shaba
2008-06-10, 16:14
Hi

Uninstall via add/remove programs:

Need2Find Bar
Viewpoint Manager (optional)
Viewpoint Media Player (optional)

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O4 - HKCU\..\Run: [YBu4RXi7O] wzcatcha.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

Close all windows including browser and press fix checked.

Go to Start > Run
Type regedit and click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cBZ1euXgc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nupeii]

Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot.

Delete this:

C:\Program Files\Need2Find

Empty Recycle Bin.

Re-run dss.

Post dss log.

Hemlocke
2008-06-11, 05:07
New DSS log:

Deckard's System Scanner v20071014.68
Run by Jackson Confer on 2008-06-10 19:03:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 127 MiB (512 MiB recommended).


-- HijackThis (run as Jackson Confer.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:58 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dlbccoms.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jackson Confer\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JACKSO~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webmail.adelphia.net/webedge"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: MindSpring - {A7A40980-E4A1-11D4-B68A-000086400686} - c:\Program Files\MindSpring 4.0\MID4.EXE (file missing) (HKCU)
O9 - Extra button: Dell Home - {E1A55500-9C4D-11D3-B689-10B54FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E301E220-177F-4047-A70B-9586B5EE1DEB}: Domain = mindspring.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 7845 bytes

-- Files created between 2008-05-10 and 2008-06-10 -----------------------------

2008-06-10 18:50:04 84838476 --a------ C:\Documents and Settings\Jackson Confer\backup.reg
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-05 20:43:50 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-05 20:43:50 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-05 20:43:50 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-05 20:43:50 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-05 20:43:50 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-05 20:43:50 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-05 20:43:50 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-05 20:43:50 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-05 20:43:50 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-05 20:43:49 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-05 20:43:48 1572864 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-06-04 23:25:40 0 d-------- C:\Program Files\Trend Micro
2008-06-04 19:58:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 19:58:41 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/01/2007 06:53 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB006" /M "Stylus C88"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MEDIC]
"C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps5Q37O]
umapy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CHotKey"=Webster.exe
"SvcButton"=c:\windows\service.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"MotiveMonitor"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\motmon.exe
"madexe"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"AccessRampMonitor"=C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"RegShave"=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60a1ac0-c8bb-11dc-aef7-00038a000015}]
AutoRun\command- E:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-06-10 19:05:57 ------------

Shaba
2008-06-11, 16:34
Hi

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply along with a fresh HijackThis log.

Hemlocke
2008-06-12, 01:42
Malwarebytes' Anti-Malware 1.17
Database version: 848

3:28:05 PM 6/11/2008
mbam-log-6-11-2008 (15-28-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122156
Time elapsed: 47 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Program Files\mIRC\mirc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\HOSTS (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:59 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dlbccoms.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webmail.adelphia.net/webedge"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: MindSpring - {A7A40980-E4A1-11D4-B68A-000086400686} - c:\Program Files\MindSpring 4.0\MID4.EXE (file missing) (HKCU)
O9 - Extra button: Dell Home - {E1A55500-9C4D-11D3-B689-10B54FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E301E220-177F-4047-A70B-9586B5EE1DEB}: Domain = mindspring.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 7845 bytes

Shaba
2008-06-12, 16:26
Hi

Restore this from MBAM quarantine:

C:\Program Files\mIRC\mirc.exe

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):




C:\WINDOWS\SYSTEM32\Fantasy Access-uninstall.exe
C:\WINDOWS\SYSTEM32\BO2202031216.dll
C:\WINDOWS\SYSTEM32\SHAgentNew.dll
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\WINDOWS\SYSTEM32\Xcite2.exe
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\AStart.exe
C:\Program Files\Netscape\Netscape\plugins\npzango.dll
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\Program Files\Need2Find
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab
C:\Documents and Settings\Jackson Confer\Local Settings\Temp\temp.fr801E


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

Hemlocke
2008-06-14, 08:59
OTMoveit Log:

C:\WINDOWS\SYSTEM32\Fantasy Access-uninstall.exe moved successfully.
C:\WINDOWS\SYSTEM32\BO2202031216.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\BO2202031216.dll moved successfully.
C:\WINDOWS\SYSTEM32\SHAgentNew.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\SHAgentNew.dll moved successfully.
C:\WINDOWS\SYSTEM32\Xcite.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\Xcite.dll moved successfully.
C:\WINDOWS\SYSTEM32\Xcite2.exe moved successfully.
C:\WINDOWS\SYSTEM32\ezStub3.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\ezStub3.dll moved successfully.
C:\WINDOWS\AStart.exe moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Netscape\Netscape\plugins\npzango.dll
C:\Program Files\Netscape\Netscape\plugins\npzango.dll NOT unregistered.
C:\Program Files\Netscape\Netscape\plugins\npzango.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll NOT unregistered.
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll moved successfully.
File/Folder C:\Program Files\Need2Find not found.
File/Folder C:\Documents and Settings\Jackson Confer\Local Settings\Temp\asmfiles.cab not found.
File/Folder C:\Documents and Settings\Jackson Confer\Local Settings\Temp\temp.fr801E not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06132008_012228


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:31 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webmail.adelphia.net/webedge"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JACKSON CONFER\Application Data\Mozilla\Profiles\default\fwr4f5gz.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: MindSpring - {A7A40980-E4A1-11D4-B68A-000086400686} - c:\Program Files\MindSpring 4.0\MID4.EXE (file missing) (HKCU)
O9 - Extra button: Dell Home - {E1A55500-9C4D-11D3-B689-10B54FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1213407682_b068d2a31a3aba44a910a982c348ef88&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E301E220-177F-4047-A70B-9586B5EE1DEB}: Domain = mindspring.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 8556 bytes

Kaspersky Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 03:05:40
Records in database: 862537
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 55298
Threat name: 22
Infected objects: 35
Suspicious objects: 0
Duration of the scan: 03:00:43


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080610190315\backup\DOCUME~1\JACKSO~1\LOCALS~1\Temp\asmfiles.cab Infected: not-a-virus:AdWare.Win32.Altnet.l 1
C:\Deckard\System Scanner\20080610190315\backup\DOCUME~1\JACKSO~1\LOCALS~1\Temp\asmfiles.cab Infected: not-a-virus:AdWare.Win32.Altnet.t 1
C:\Deckard\System Scanner\20080610190315\backup\DOCUME~1\JACKSO~1\LOCALS~1\Temp\temp.fr801E Infected: not-a-virus:AdWare.Win32.BiSpy.o 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-2e8f809-111adab3.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2d653d3a.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-550a77cc.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205 Infected: Trojan-Downloader.Java.OpenConnection.ao 2
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-77dcb205 Infected: Trojan.Java.ClassLoader.au 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\25\2138d899-236eb5f6 Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-64dfe894 Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-216864be Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212822.dll Infected: not-a-virus:AdWare.Win32.Altnet.t 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212825.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212826.dll Infected: not-a-virus:AdWare.Win32.Altnet.x 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212827.dll Infected: not-a-virus:AdWare.Win32.Altnet.j 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212828.dll Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212829.exe Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212830.dll Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212831.dll Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212833.exe Infected: not-a-virus:AdWare.Win32.Altnet.g 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP788\A0212835.EXE Infected: not-a-virus:AdWare.Win32.Background 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP792\A0214997.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP792\A0214998.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP793\A0215179.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e 1
C:\System Volume Information\_restore{22018BAF-A4E5-4F3D-989F-40893ED4DE47}\RP793\A0215254.dll Infected: not-a-virus:AdWare.Win32.MySearch.e 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\SYSTEM32\Fantasy Access-uninstall.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\SYSTEM32\BO2202031216.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\SYSTEM32\SHAgentNew.dll Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\SYSTEM32\Xcite.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.m 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\SYSTEM32\Xcite2.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\SYSTEM32\ezStub3.dll Infected: not-a-virus:AdWare.Win32.EZula.cp 1
C:\_OTMoveIt\MovedFiles\06132008_012228\WINDOWS\AStart.exe Infected: Trojan-Downloader.Win32.VB.ah 1
C:\_OTMoveIt\MovedFiles\06132008_012228\Program Files\Netscape\Netscape\plugins\npzango.dll Infected: not-a-virus:AdWare.Win32.WinAD.aw 1
C:\_OTMoveIt\MovedFiles\06132008_012228\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o 1

The selected area was scanned.

Shaba
2008-06-14, 12:21
Hi

Empty these folders:

C:\Deckard\System Scanner\20080610190315\backup\DOCUME~1\JACKSO~1\LOCALS~1\Temp\
C:\Documents and Settings\Jerry Casillas\Application Data\Sun\Java\Deployment\cache\
C:\_OTMoveIt\MovedFiles

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

Hemlocke
2008-06-16, 18:53
There are no problems left. The computer is running MUCH faster and there are no more pop-ups. Thank you very much for your help.

Shaba
2008-06-16, 19:54
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Shaba
2008-06-19, 15:08
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.