Broadcaster pop up, auto downloader

[fieldofhats]

Hello

(reply continued on next post)

winpfind3 report:


WinPFind3 logfile created on: 4/20/2007 10:23:19 AM
WinPFind3U by OldTimer - Version 1.0.34 Folder = C:\Documents and Settings\lesley allen\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

510.98 Mb Total Physical Memory | 338.32 Mb Available Physical Memory | 66.21% Memory free
1.64 Gb Paging File | 1.31 Gb Available in Paging File | 80.20% Paging File free
Paging file location(s): C:\pagefile.sys 1200 2000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 52.20 Gb Free Space | 46.73% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 57.26 Gb Total Space | 17.83 Gb Free Space | 31.15% Space Free

Computer Name: LESLEY
Current User Name: lesley allen
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,365 | Size = 336896 bytes | Modified Date = 10/24/2006 2:56:52 PM | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 5:20:00 AM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,349 | Size = 84480 bytes | Modified Date = 10/24/2006 2:56:54 PM | Attr = ]
bcmsmmsg.exe -> %SystemRoot%\BCMSMMSG.exe -> Broadcom Corporation [Ver = 3.5.25 08/27/2003 20:04:35 | Size = 122880 bytes | Modified Date = 8/29/2003 4:59:24 AM | Attr = ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 45056 bytes | Modified Date = 2/15/2002 9:31:42 AM | Attr = ]
googledesktop.exe -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktop.exe -> Google [Ver = 4.2006.509.1244 | Size = 166400 bytes | Modified Date = 4/5/2007 8:27:50 AM | Attr = ]
googledesktopcrawl.exe -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopCrawl.exe -> Google [Ver = 4.2006.509.1244 | Size = 242176 bytes | Modified Date = 4/5/2007 8:27:50 AM | Attr = ]
googledesktopdisplay.exe -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopDisplay.exe -> Google [Ver = 4.2006.509.1244 | Size = 1072640 bytes | Modified Date = 4/5/2007 8:27:50 AM | Attr = ]
googledesktopindex.exe -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopIndex.exe -> Google [Ver = 4.2006.509.1244 | Size = 724992 bytes | Modified Date = 4/5/2007 8:27:50 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 7:13:20 AM | Attr = ]
incd.exe -> %ProgramFiles%\Ahead\InCD\InCD.exe -> Nero AG [Ver = 4, 3, 23, 0 | Size = 1398272 bytes | Modified Date = 1/16/2006 9:46:28 AM | Attr = ]
incdsrv.exe -> %ProgramFiles%\Ahead\InCD\InCDsrv.exe -> Nero AG [Ver = 4, 3, 23, 0 | Size = 878592 bytes | Modified Date = 1/16/2006 7:46:12 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 77824 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 81920 bytes | Modified Date = 10/6/2003 3:16:00 PM | Attr = ]
qnetod.exe -> %ProgramFiles%\QNET Overdrive\qnetod.exe -> [Ver = 3.2.12 | Size = 225280 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
sagent2.exe -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 1, 2, 0, 0 | Size = 114688 bytes | Modified Date = 11/17/2000 2:02:00 AM | Attr = ]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
wanmpsvc.exe -> %SystemRoot%\wanmpsvc.exe -> America Online, Inc. [Ver = 7, 0, 0, 2 | Size = 65536 bytes | Modified Date = 11/26/2001 6:54:02 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified Date = 4/10/2007 10:00:18 PM | Attr = ]
wzqkpick.exe -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 118784 bytes | Modified Date = 12/17/2004 10:00:00 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 12/17/2005 2:51:30 PM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 7:13:20 AM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,365 | Size = 336896 bytes | Modified Date = 10/24/2006 2:56:52 PM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,349 | Size = 84480 bytes | Modified Date = 10/24/2006 2:56:54 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:48 AM | Attr = ]
(EPSONStatusAgent2) EPSON Printer Status Agent2 [Win32_Own | Auto | Running] -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 1, 2, 0, 0 | Size = 114688 bytes | Modified Date = 11/17/2000 2:02:00 AM | Attr = ]
(InCDsrv) InCD Helper [Win32_Own | Auto | Running] -> %ProgramFiles%\Ahead\InCD\InCDsrv.exe -> Nero AG [Ver = 4, 3, 23, 0 | Size = 878592 bytes | Modified Date = 1/16/2006 7:46:12 PM | Attr = ]
(InCDsrvR) InCD Helper (read only) [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Ahead\InCD\InCDsrv.exe -> Nero AG [Ver = 4, 3, 23, 0 | Size = 878592 bytes | Modified Date = 1/16/2006 7:46:12 PM | Attr = ]
(NMSSvc) Intel(R) NMS [Win32_Own | On_Demand | Stopped] -> %System32%\NMSSvc.Exe -> Intel Corporation [Ver = 2.1.8.1 | Size = 1118208 bytes | Modified Date = 5/3/2002 10:29:42 AM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 81920 bytes | Modified Date = 10/6/2003 3:16:00 PM | Attr = ]
(WANMiniportService) WAN Miniport (ATW) Service [Win32_Own | Auto | Running] -> %SystemRoot%\wanmpsvc.exe -> America Online, Inc. [Ver = 7, 0, 0, 2 | Size = 65536 bytes | Modified Date = 11/26/2001 6:54:02 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 5:20:00 AM | Attr = ]
BCMSMMSG -> %SystemRoot%\BCMSMMSG.exe -> Broadcom Corporation [Ver = 3.5.25 08/27/2003 20:04:35 | Size = 122880 bytes | Modified Date = 8/29/2003 4:59:24 AM | Attr = ]
DwlClient -> %CommonProgramFiles%\Dell\EUSW\Support.exe -> File not found
EVENTLISTENER -> %CommonProgramFiles%\FotoNation\EvLstnr.exe -> File not found
Google Desktop Search -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktop.exe -> Google [Ver = 4.2006.509.1244 | Size = 166400 bytes | Modified Date = 4/5/2007 8:27:50 AM | Attr = ]
InCD -> %ProgramFiles%\Ahead\InCD\InCD.exe -> Nero AG [Ver = 4, 3, 23, 0 | Size = 1398272 bytes | Modified Date = 1/16/2006 9:46:28 AM | Attr = ]
Ink Monitor -> %ProgramFiles%\EPSON\Ink Monitor\InkMonitor.exe -> File not found
Microsoft Works Update Detection -> %CommonProgramFiles%\Microsoft Shared\Works Shared\WkUFind.exe -> File not found
MMTray -> %ProgramFiles%\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe -> File not found
NeroFilterCheck -> %System32%\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 1/12/2006 5:40:44 PM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 5058560 bytes | Modified Date = 10/6/2003 3:16:00 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 741376 bytes | Modified Date = 10/6/2003 3:16:00 PM | Attr = ]
Picasa Media Detector -> %ProgramFiles%\Picasa2\PicasaMediaDetector.exe -> File not found
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 77824 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter -> %System32%\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 49152 bytes | Modified Date = 10/6/2003 3:16:00 PM | Attr = ]
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 110592 bytes | Modified Date = 4/24/2002 9:04:32 PM | Attr = ]
%AllUsersStartup%\Digital Line Detect.lnk -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 45056 bytes | Modified Date = 2/15/2002 9:31:42 AM | Attr = ]
%AllUsersStartup%\Portfolio Express.lnk -> %ProgramFiles%\Extensis\Portfolio Solo\Portfolio Solo Express.exe -> Extensis, Inc. [Ver = 6.02 | Size = 1961984 bytes | Modified Date = 5/5/2003 12:24:00 PM | Attr = ]
%AllUsersStartup%\QNET Overdrive Technology.lnk -> %ProgramFiles%\QNET Overdrive\qnetod.exe -> [Ver = 3.2.12 | Size = 225280 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
%AllUsersStartup%\WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 118784 bytes | Modified Date = 12/17/2004 10:00:00 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
?IT -> -> File not found
C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopNetwork3.dll -> Google [Ver = 4.2006.509.1244 | Size = 134656 bytes | Modified Date = 4/5/2007 8:27:50 AM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 9/28/2006 7:13:28 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< HOSTS File > (635 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 4/16/2001 5:39:02 PM | Attr = ]
{4115122B-85FF-4DD3-9515-F075BEDE5EB5} [HKLM] -> %ProgramFiles%\QNET Overdrive\PBHelper.dll [PBlockHelper Class] -> [Ver = 3.2.12 | Size = 219136 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 501384 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0\bin\npjpi160.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 132744 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 501384 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -> Reg Data - Value does not exist [ButtonText: Create Mobile Favorite] -> File not found
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 8/1/2001 6:05:42 PM | Attr = ]

 

[fieldofhats]

(winpfind3 report cont)

< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{A8CD2235-FB1D-42E3-ADEF-995DEF79A475} -> (1394 Net Adapter) ->
{E030623A-1DA7-4994-83C6-7A1C36899E1B} -> (Intel(R) PRO/100 M Network Connection) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\QNET Overdrive\sliplsp.dll -> [Ver = 3.2.12 | Size = 86016 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\QNET Overdrive\sliplsp.dll -> [Ver = 3.2.12 | Size = 86016 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %ProgramFiles%\QNET Overdrive\sliplsp.dll -> [Ver = 3.2.12 | Size = 86016 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000035 -> %ProgramFiles%\QNET Overdrive\sliplsp.dll -> [Ver = 3.2.12 | Size = 86016 bytes | Modified Date = 11/17/2004 8:05:36 PM | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{08BEF711-06DA-48B2-9534-802ECAA2E4F9} -> PlxInstall Class - CodeBase = https://www.plaxo.com/down/release/PlaxoInstall.cab ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab ->
{1842B0EE-B597-11D4-8997-00104BD12D94} -> iCC Class - CodeBase = http://www.pcpitstop.com/internet/pcpConnCheck.cab ->
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab ->
{4C39376E-FA9D-4349-BACC-D305C1750EF3} -> EPUImageControl Class - CodeBase = http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> - CodeBase = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136581683859 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab ->
{90C9629E-CD32-11D3-BBFB-00105A1F0D68} -> InstallShield International Setup Player - CodeBase = http://www.napster.com/client/isetup.cab ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -> - CodeBase = http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab ->
{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} -> Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab ->
{DC765522-D5BE-49C9-AF5F-8C715A44BA28} -> MS Investor Ticker - CodeBase = http://fdl.msn.com/public/investor/v9.5/ticker.cab ->
{EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} -> MSN Money Ticker - CodeBase = http://fdl.msn.com/public/investor/v13/ticker.cab ->
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -> McFreeScan Class - CodeBase = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4328/mcfscan.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->

[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 535871488 bytes | Created Date = 1/1/1601 8:00:00 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 4/6/2007 11:53:22 AM | Attr = ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Created Date = 4/10/2007 8:11:47 AM | Attr = ]
dfiilm.ini -> %SystemRoot%\dfiilm.ini -> [Ver = | Size = 1456063 bytes | Created Date = 4/4/2007 10:24:37 AM | Attr = HS]
eegiii.ini -> %SystemRoot%\eegiii.ini -> [Ver = | Size = 1456222 bytes | Created Date = 4/10/2007 8:14:00 AM | Attr = HS]
InCD -> %SystemRoot%\InCD -> [Folder | Created Date = 3/31/2007 8:31:18 AM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Created Date = 4/6/2007 8:04:59 AM | Attr = ]
NuNinst.cfg -> %SystemRoot%\NuNinst.cfg -> [Ver = | Size = 58818 bytes | Created Date = 3/31/2007 8:34:00 AM | Attr = ]
NuNinst.exe -> %SystemRoot%\NuNinst.exe -> Nero AG [Ver = 1, 2, 3, 129 | Size = 3051520 bytes | Created Date = 3/31/2007 8:33:59 AM | Attr = ]
UNAheadManual.cfg -> %SystemRoot%\UNAheadManual.cfg -> [Ver = | Size = 33193 bytes | Created Date = 3/31/2007 8:31:32 AM | Attr = ]
UNAheadManual.exe -> %SystemRoot%\UNAheadManual.exe -> Ahead Software AG [Ver = 1, 2, 2, 199 | Size = 1916928 bytes | Created Date = 3/31/2007 8:31:31 AM | Attr = ]
UNMRW.cfg -> %SystemRoot%\UNMRW.cfg -> [Ver = | Size = 55770 bytes | Created Date = 3/31/2007 8:31:23 AM | Attr = ]
UNMRW.exe -> %SystemRoot%\UNMRW.exe -> Nero AG [Ver = 1, 2, 3, 129 | Size = 3051520 bytes | Created Date = 3/31/2007 8:31:22 AM | Attr = ]
UNNeroVision.cfg -> %SystemRoot%\UNNeroVision.cfg -> [Ver = | Size = 125362 bytes | Created Date = 3/31/2007 8:27:36 AM | Attr = ]
UNNeroVision.exe -> %SystemRoot%\UNNeroVision.exe -> Nero AG [Ver = 1, 2, 3, 123 | Size = 3051520 bytes | Created Date = 3/31/2007 8:27:35 AM | Attr = ]
UNNMP.cfg -> %SystemRoot%\UNNMP.cfg -> [Ver = | Size = 46251 bytes | Created Date = 3/31/2007 8:31:09 AM | Attr = ]
UNNMP.exe -> %SystemRoot%\UNNMP.exe -> Nero AG [Ver = 1, 2, 3, 123 | Size = 3051520 bytes | Created Date = 3/31/2007 8:31:08 AM | Attr = ]
UNNVEContent.cfg -> %SystemRoot%\UNNVEContent.cfg -> [Ver = | Size = 67990 bytes | Created Date = 3/31/2007 8:32:03 AM | Attr = ]
UNNVEContent.exe -> %SystemRoot%\UNNVEContent.exe -> Ahead Software AG [Ver = 1, 2, 2, 199 | Size = 1916928 bytes | Created Date = 3/31/2007 8:32:02 AM | Attr = ]
yacbdd.ini -> %SystemRoot%\yacbdd.ini -> [Ver = | Size = 1456243 bytes | Created Date = 4/6/2007 7:20:20 AM | Attr = HS]
bund1 -> %System32%\bund1 -> [Folder | Created Date = 4/7/2007 7:23:15 AM | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 4/6/2007 12:14:03 PM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Created Date = 4/11/2007 10:09:05 AM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 69632 bytes | Created Date = 4/11/2007 10:09:05 AM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Created Date = 4/11/2007 10:09:05 AM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 139264 bytes | Created Date = 4/11/2007 10:09:05 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 4/13/2007 7:11:32 AM | Attr = ]
NeroCheck.exe -> %System32%\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Created Date = 3/31/2007 8:29:49 AM | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 4/6/2007 12:14:03 PM | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 4/6/2007 12:14:03 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 4/6/2007 12:14:03 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Created Date = 4/6/2007 12:14:03 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 4/6/2007 12:14:03 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 4166 bytes | Created Date = 4/6/2007 11:31:23 AM | Attr = ]
~.exe -> %System32%\~.exe -> [Ver = | Size = 14390 bytes | Created Date = 4/7/2007 7:22:32 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 4/9/2007 2:25:42 PM | Attr = ]
core.cache.dsk -> %System32%\drivers\core.cache.dsk -> [Ver = | Size = 161849 bytes | Created Date = 4/7/2007 7:25:58 AM | Attr = ]
core.sys -> %System32%\drivers\core.sys -> [Ver = | Size = 72320 bytes | Created Date = 4/7/2007 7:25:56 AM | Attr = ]
InCDfs.sys -> %System32%\drivers\InCDfs.sys -> Nero AG [Ver = 4, 3, 23, 0 | Size = 102016 bytes | Created Date = 3/31/2007 8:31:20 AM | Attr = ]
InCDpass.sys -> %System32%\drivers\InCDpass.sys -> Nero AG [Ver = 4, 3, 23, 0 | Size = 29440 bytes | Created Date = 3/31/2007 8:31:20 AM | Attr = ]
InCDrec.sys -> %System32%\drivers\InCDrec.sys -> Nero AG [Ver = 4, 3, 23, 0 | Size = 8704 bytes | Created Date = 3/31/2007 8:31:20 AM | Attr = ]
InCDrm.sys -> %System32%\drivers\InCDrm.sys -> Nero AG [Ver = 4, 3, 23, 0 | Size = 32640 bytes | Created Date = 3/31/2007 8:31:19 AM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date = 4/11/2007 10:23:18 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 535871488 bytes | Modified Date = 4/20/2007 7:01:12 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 4/7/2007 10:14:08 AM | Attr = R ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 4/17/2007 9:20:42 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 4/15/2007 4:21:20 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 4/14/2007 7:01:16 AM | Attr = ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 4/10/2007 12:19:58 PM | Attr = ]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT -> [Ver = | Size = 2048 bytes | Modified Date = 4/20/2007 7:01:14 AM | Attr = S]
dfiilm.ini -> %SystemRoot%\dfiilm.ini -> [Ver = | Size = 1456063 bytes | Modified Date = 4/4/2007 11:26:30 AM | Attr = HS]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 4/13/2007 8:11:38 AM | Attr = S]
eegiii.ini -> %SystemRoot%\eegiii.ini -> [Ver = | Size = 1456222 bytes | Modified Date = 4/10/2007 1:18:04 PM | Attr = HS]
InCD -> %SystemRoot%\InCD -> [Folder | Modified Date = 3/31/2007 9:31:20 AM | Attr = ]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 4/13/2007 8:11:34 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 4/11/2007 11:09:12 AM | Attr = HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 4/19/2007 7:56:18 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 4/20/2007 10:22:02 AM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 4/13/2007 8:11:34 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 4/20/2007 8:03:14 AM | Attr = ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [Ver = | Size = 316640 bytes | Modified Date = 3/31/2007 9:27:58 AM | Attr = ]
yacbdd.ini -> %SystemRoot%\yacbdd.ini -> [Ver = | Size = 1456243 bytes | Modified Date = 4/6/2007 8:46:32 AM | Attr = HS]
LAPhoto 1106681884.job -> %SystemRoot%\tasks\LAPhoto 1106681884.job -> [Ver = | Size = 420 bytes | Modified Date = 4/17/2007 1:00:02 PM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 4/20/2007 7:01:20 AM | Attr = H ]
bund1 -> %System32%\bund1 -> [Folder | Modified Date = 4/7/2007 8:28:38 AM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 3/31/2007 9:29:54 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 4/13/2007 8:11:30 AM | Attr = ]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 4/11/2007 11:23:20 AM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Modified Date = 4/16/2007 10:02:08 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 69632 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 139264 bytes | Modified Date = 4/11/2007 11:08:50 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 4/13/2007 8:11:34 AM | Attr = ]
PERFC009.DAT -> %System32%\PERFC009.DAT -> [Ver = | Size = 54280 bytes | Modified Date = 4/2/2007 7:39:34 AM | Attr = ]
PERFH009.DAT -> %System32%\PERFH009.DAT -> [Ver = | Size = 384596 bytes | Modified Date = 4/2/2007 7:39:34 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 445630 bytes | Modified Date = 4/2/2007 7:39:34 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 4/17/2007 9:20:42 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 4166 bytes | Modified Date = 4/6/2007 1:14:28 PM | Attr = ]
WPA.DBL -> %System32%\WPA.DBL -> [Ver = | Size = 1170 bytes | Modified Date = 3/29/2007 10:50:02 AM | Attr = ]
~.exe -> %System32%\~.exe -> [Ver = | Size = 14390 bytes | Modified Date = 4/7/2007 8:22:40 AM | Attr = ]
core.cache.dsk -> %System32%\drivers\core.cache.dsk -> [Ver = | Size = 161849 bytes | Modified Date = 4/7/2007 8:26:00 AM | Attr = ]
core.sys -> %System32%\drivers\core.sys -> [Ver = | Size = 72320 bytes | Modified Date = 4/7/2007 8:25:58 AM | Attr = ]
ETC -> %System32%\drivers\ETC -> [Folder | Modified Date = 4/11/2007 9:13:28 AM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Modified Date = 4/6/2007 10:45:16 AM | Attr = ]
hosts.bak -> %System32%\drivers\ETC\hosts.bak -> [Ver = | Size = 0 bytes | Modified Date = 4/6/2007 12:41:58 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\DFRG.MSC -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 4:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 5:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Modified Date = 8/29/2006 7:43:54 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Modified Date = 1/9/2006 10:36:06 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 12/1/2006 6:20:34 AM | Attr = ]
winsync , -> %System32%\WBDBASE.DEU -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 4:00:00 AM | Attr = ]
PEC2 , -> %System32%\~.exe -> [Ver = | Size = 14390 bytes | Modified Date = 4/7/2007 8:22:40 AM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7,1,0,394 | Size = 776096 bytes | Modified Date = 10/24/2006 2:56:56 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:38 PM | Attr = ]

< End of report >

 

[Shaba]

Hi

Rename HijackThis.exe to scanner.exe

Make your hidden & system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete these:

C:\windows\dfiilm.ini
C:\windows\eegiii.ini
C:\windows\yacbdd.ini

Empty Recycle Bin

Post a fresh HijackThis log

 

[fieldofhats]

Hello


followed instructions, hjt report:


Logfile of HijackThis v1.99.1
Scan saved at 12:07:34 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\QNET Overdrive\qnetod.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=SLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\QNET Overdrive\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [EVENTLISTENER] C:\Program Files\Common Files\FotoNation\EvLstnr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Portfolio Express.lnk = ?
O4 - Global Startup: QNET Overdrive Technology.lnk = C:\Program Files\QNET Overdrive\qnetod.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136581683859
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4328/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B74EADD-5B2E-4E83-A94A-DFF5D54F7EAD}: NameServer = 209.221.205.2 209.221.205.3
O20 - AppInit_DLLs: ?IT C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

[Shaba]

Hi

Log looks good.

Still popups?

 

[fieldofhats]

Hi Shaba

Seems like I have quite a persitant pest on my computer. Pop ups appeared again with IE explorer, simmilar to those described earlier.

also, when I close my dial up connection, something trys to open a new connection (again only if I use IE explorer first)
Spybot teatimer is detecting a registry change regarding the IE explorer browser, I have been denying this, not sure if it is connected to my problems.

 

[Shaba]

Hi

Go to control panel -> network connections. What do you see there?

 

[Shaba]

Hi

Sorry I missed two bad files first.

Delete these:

C:\Windows\System32\drivers\core.cache.dsk
C:\Windows\System32\drivers\core.sys

Empty Recycle Bin

Did it help?

 

[fieldofhats]

Hi Shaba

No pop ups for a few days, looks like I might be in good shape!

Thank you for putting so much time into helping me and others.

 

[Shaba]

Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Go here and download and install JRE 6.0u1. Click the link that says Java Runtime Environment (JRE) 6u1. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-6u1-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 6.0 Update.

• Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and reenable system restore here:
  
  Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

 

[fieldofhats]

Maybe not Clean?

Hi Shaba

Sorry for continuing to bother you, but I may have another issue

I installed zone alarm, and now have steady traffic on my dial up connection while i am Idle. Even if I close all browsers Etc. something is steadily using my connection. not sure if this is something with zone alarm, or if I still have a problem?

Pop ups are still clean.
thank you

 

[Shaba]

Hi

Well do that traffic come from/go to certain IP address ?

 

[fieldofhats]

I guess I need a little help here, I'm not sure how to identify the IP address where the traffic is going to / coming from.

I can just tell that there is steady traffic both ways while I am connected but not actively surfing, by watching the zone alarm traffic indicator in the task bar tray and by watching my dial up connection icon also in the tray.

not sure if it is helpful but the last couple of times that I have run avg antispyware (within the last week) It has found Downloader.Agent.bnn

 

[Shaba]

Hi

Is there any program open that can use connection (irc, p2p program etc.)?

You can post latest AVG a-s report if you like.

 

[fieldofhats]

Hi Shaba

No IRC, or P2P, etc loaded (than I know of). I have been trying to locate what is connected other than my browser with limited luck. While I am connected and my browser is idle zone alarm shows traffic is active on "generic host process for win32 services" and avg spyware shows (under analysis, connections tab) active connections for the firefox browser (firefox.exe) and svchost.exe (Application: svchost.exe, Protocol: tcp, local address: 209.221.222.183:1705, remote address 72.246.53.40:80, state: connected).

If I close all browsers and leave my internet connection open, traffic continues on this connection. this is a new occurrence since a couple of posts ago. My dial up connection also seems slower than usual while surfing.

latest avg spyware report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:05:17 PM 4/27/2007

+ Scan result:



C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP410\A0043884.exe -> Downloader.Agent.bnn : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\lesley allen\Application Data\Mozilla\Firefox\Profiles\3l8ta2ef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\lesley allen\Application Data\Mozilla\Firefox\Profiles\3l8ta2ef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\lesley allen\Application Data\Mozilla\Firefox\Profiles\3l8ta2ef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\lesley allen\Application Data\Mozilla\Firefox\Profiles\3l8ta2ef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\lesley allen\Application Data\Mozilla\Firefox\Profiles\3l8ta2ef.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.32:C:\Documents and Settings\lesley allen\Application Data\Mozilla\Firefox\Profiles\3l8ta2ef.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.


::Report end

 

[Shaba]

Hi

That's very strange but IP addresses look legit.

You didn't notice any traffic before ZoneAlarm (I mean modem lights blink now more)?

 

[fieldofhats]

Hello

Before this recent problem of spyware, popups etc, I didn't seem to have any traffic over my connection (blinking lights) while idle, then when it looked like I was clean, again I didn't see any traffic while I was Idle, after I installed zone alarm this traffic showed up and has been persistent. I thought that this was a coincidence but not sure.

Do you have any suggestions on how to more specifically identify what programs etc. are using my connection?

 

[Shaba]

Hi

Well, ZoneAlarm should show programs which currently use your connection.

It might be coincidence, yes.