parladent-doc.org

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

parladent-doc.org, desktop icons desapear, windows freezes

Options

doble View Member Profile	May 4 2007, 06:09 PM Post #1
Member Posts: 15 OS: windows xp	Hi, First off i would like to appologize. First time that i posted my log everytime i hit "submit" i would get a "page cannot be dysplayed" so thats why i kept doing it. Again, Sorry. I Am Having problems with this PARLADENT-DOC.ORG Everytime i boot my computer and it gets to the desktop i get this message from spyweeper "access was blocked to PARLADENT-DOC.ORG" A few minutes after i start working on anything my taskbar desapears and then if i minimize the windows i am working on my desktop icons are gone and i i have to restart my computer. This is been happening for a week now and its really getting annoying, so if someone can please take a look at my log and advise i'd be greatly appreciated. Thanks A little update. Now i do a search on any search engine i get the results but the website is always "singlesnet.com" Here Is My NEw Log. Some of the things i've done to try and fix the problem are; -Norton -spy sweeper -adaware Logfile of HijackThis v1.99.1 Scan saved at 5:02:38 PM, on 5/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\MouseWare\system\em_exec.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\JACK MEZZACAPPA\Desktop\HiJakcThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.qnis.net"); (C:\Program Files\Netscape\Users\User00\prefs.js) O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\shdocvs.dll O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O15 - Trusted Zone: .fnismls.com O15 - Trusted Zone: .mappoint.msn.com O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.108:8038/Java/cs4ms090.cab O16 - DPF: ChatSpace Java Client 2.1.0.90L - http://64.85.20.108:8038/Java/cs4msl090.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\JACKME~1\LOCALS~1\Temp\IXP000.TMP\setup.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133396710703 O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.rapmls.com/RapattoniMlsPDFCreator_001.exe O16 - DPF: {A7DB6550-3269-11D4-8C30-0001023CA9DC} (Vault Files Downloader) - http://vault.alamode.com/cab/vfd.cab O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB O16 - DPF: {C118AE9E-3A30-4B96-9C1C-295AA4A1262A} - http://vault.alamode.com/cab/vaultinstall.cab O16 - DPF: {FBAF1100-303B-4C47-8FC1-A7CF1F15D346} - http://bluehill.alamode.com/updates/Vault3/vaultinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer = 194.54.90.226 O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: MSSQL$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQLAgent$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

SNOWHITE View Member Profile	May 21 2007, 12:53 PM Post #2
Trusted Helper Posts: 1,327 From: Macedonia OS: XP Pro, W2K, W98SE	Hello doble, Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.

doble View Member Profile	May 22 2007, 12:21 PM Post #3
Member Posts: 15 OS: windows xp	Hi Snowhite, Thats Ok I Understand. And Yes, I Am Still Having Problems So I Appreciate You Taking Time To Check My Log. Here Is A Fresh New One Like You Requested. Logfile of HijackThis v1.99.1 Scan saved at 11:16:04 AM, on 5/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MouseWare\system\em_exec.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.qnis.net"); (C:\Program Files\Netscape\Users\User00\prefs.js) O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O15 - Trusted Zone: .fnismls.com O15 - Trusted Zone: .mappoint.msn.com O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.108:8038/Java/cs4ms090.cab O16 - DPF: ChatSpace Java Client 2.1.0.90L - http://64.85.20.108:8038/Java/cs4msl090.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\JACKME~1\LOCALS~1\Temp\IXP000.TMP\setup.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133396710703 O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.rapmls.com/RapattoniMlsPDFCreator_001.exe O16 - DPF: {A7DB6550-3269-11D4-8C30-0001023CA9DC} (Vault Files Downloader) - http://vault.alamode.com/cab/vfd.cab O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB O16 - DPF: {C118AE9E-3A30-4B96-9C1C-295AA4A1262A} - http://vault.alamode.com/cab/vaultinstall.cab O16 - DPF: {FBAF1100-303B-4C47-8FC1-A7CF1F15D346} - http://bluehill.alamode.com/updates/Vault3/vaultinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer = 194.54.90.226 O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: MSSQL$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQLAgent$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

SNOWHITE View Member Profile	May 22 2007, 04:51 PM Post #4
Trusted Helper Posts: 1,327 From: Macedonia OS: XP Pro, W2K, W98SE	Hello doble Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later. There is a backdoor trojan detected on your system. This gives hackers full access to everything stored on the computer! i recommend these actions: 1) use a known secure computer to change all of your online passwords 2) contact your bank and credit card company for possible unauthorised transactions more info can be found here: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? some further reading: Security Management - May 2004 Help: I Got Hacked. Now What Do I Do? http://www.microsoft.com/technet/community...gmt/sm0504.mspx Security Management - July 2004 Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft.com/technet/community...gmt/sm0704.mspx and finally some more considerations: When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063 if you choose to format and reinstall see this link for instructions: http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html Please follow the steps below: Step 1 Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Step 2 Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, Click Options > Change settings Choose the "Scan"-tab, remove the mark at "Heuristic analysis". Back at the main window, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. Step 3 Download haxfix.exe and save it to your desktop. Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix) Checkmark "Create a desktop icon" Click "Next" When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed Click "Finish" A red "dos window" (dos box) will open with options: 1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option 1. Make logfile by typing 1 and then pressing Enter Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt) Copy the contents of that logfile and paste it into this thread. One question, is this your IP address 194.54.90.226, do you live in Ukraine ? Also is your antivirus updated with latest definitions and working properly? Please post back with Dr.Web CureIt report, the contents of haxlog.txt fresh HijackThis log.

doble View Member Profile	May 22 2007, 09:56 PM Post #5
Member Posts: 15 OS: windows xp	Hi snowhite, Wow! Long Task Here Are The Fresh New Logs..Execpt For the Dr. Web Log Because i accidentlly selected "clear report list" instead of "save report list" Sorry. Weh You asked if in Ukraine, No i am In The U.S And At That time that was not my IP. Hijackthis Logfile of HijackThis v1.99.1 Scan saved at 8:55:23 PM, on 5/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\MouseWare\system\em_exec.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.qnis.net"); (C:\Program Files\Netscape\Users\User00\prefs.js) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O15 - Trusted Zone: .fnismls.com O15 - Trusted Zone: .mappoint.msn.com O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.108:8038/Java/cs4ms090.cab O16 - DPF: ChatSpace Java Client 2.1.0.90L - http://64.85.20.108:8038/Java/cs4msl090.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\JACKME~1\LOCALS~1\Temp\IXP000.TMP\setup.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133396710703 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.rapmls.com/RapattoniMlsPDFCreator_001.exe O16 - DPF: {A7DB6550-3269-11D4-8C30-0001023CA9DC} (Vault Files Downloader) - http://vault.alamode.com/cab/vfd.cab O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB O16 - DPF: {C118AE9E-3A30-4B96-9C1C-295AA4A1262A} - http://vault.alamode.com/cab/vaultinstall.cab O16 - DPF: {FBAF1100-303B-4C47-8FC1-A7CF1F15D346} - http://bluehill.alamode.com/updates/Vault3/vaultinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer = 194.54.90.226 O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: MSSQL$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQLAgent$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe ---------------------------------------------------------------------- haxlog HAXFIX logfile - by Marckie version 4.43 Tue 05/22/2007 20:19:07.29 --- Checking for Haxdoor --- checking for a3d files a3d files not found checking for matching notify keys no matching notify keys found checking for matching services matching services found DM9102 checking for matching safeboot services no matching safeboot services found checking for other Haxdoor-files no other Haxdoor-files found --- Checking for Goldun --- checking for SSODL keys no ssodl keys found checking for notify keys no notify keys found checking for services no services found checking for other Goldun-files no other Goldun-files found checking iexplore.exe iexplore.exe is not infected --- Catchme logfile - thank you Gmer --- catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-22 20:19:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... C:\serv.txt scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 1 --- Analysing Catchme logfile --- no matching regkeys found Finished! And my norton Anti virus is up to day with the newst definitions.

SNOWHITE View Member Profile	May 23 2007, 06:45 PM Post #6
Trusted Helper Posts: 1,327 From: Macedonia OS: XP Pro, W2K, W98SE	Hello doble Step 1 Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click SmitfraudFix.exe Select option #5 - Search and clean DNS hijack by typing 5 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Step 2 Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer = 194.54.90.226 O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Step 3 Please download the OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\system32\perfc000.dat C:\serv.txt Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply. Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Step 4 Download AVG Anti-Spyware from HERE and save that file to your desktop. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan. NOTE: if you are unable to update the definition files, you can perform manual update by going to the following site http://www.ewido.net/en/download/updates/ Step 5 Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Please post back with SmitfraudFix report, OTMoveIt report, AVG Anti-Spyware report scan, dss scan reports main.txt and extra.txt**, also let me know how is the computer running.

doble View Member Profile	May 25 2007, 03:45 PM Post #7
Member Posts: 15 OS: windows xp	Hello Snowhite, Here Are The Logs SmitFraudFix v2.188 Scan done at 12:43:38.00, Fri 05/25/2007 Run from C:\Documents and Settings\JACK MEZZACAPPA\Desktop\2nd scan\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode �� DNS Before Fix Your computer may be victim of a DNS Hijack: 194.54.x.x detected ! Description: CNet PRO200WL PCI Fast Ethernet Adapter - Packet Scheduler Miniport DNS Server Search Order: 194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{ABF8BC54-A0DA-40D4-BCA1-EEF1342CFF0E}: NameServer=194.54.90.226 �� DNS After Fix ------------------------------------------------------------- OTMoveIt File/Folder C:\WINDOWS\system32\perfc000.dat not found. C:\serv.txt moved successfully. Created on 05/25/2007 12:53:56 -------------------------------------------------- AVG Anti-Spyware - Scan Report + Created at: 2:22:34 PM 5/25/2007 + Scan result: C:\WINDOWS\SYSTEM32\dnsersnd.dll -> Hijacker.Small.cf : Cleaned. C:\WINDOWS\SYSTEM32\dnsersnd.exe -> Hijacker.Small.cf : Cleaned. C:\Documents and Settings\USER\Cookies\user@revsci[2].txt -> TrackingCookie.Revsci : Cleaned. C:\Documents and Settings\USER\Cookies\user@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned. ::Report end ---------------------------------------------------- Deckard's System Scanner v20070426.43 Run by JACK MEZZACAPPA on 2007-05-25 at 14:27:02 Computer is in Normal Mode.-------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- System Restore is disabled; attempting to re-enable...success. -- Last 1 Restore Point(s) -- 1: 2007-05-25 21:27:25 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as JACK MEZZACAPPA.exe) ------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 2:29:46 PM, on 5/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MouseWare\system\em_exec.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Documents and Settings\JACK MEZZACAPPA\Desktop\2nd scan\dss.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\HIJACK~1\JACK MEZZACAPPA.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.qnis.net"); (C:\Program Files\Netscape\Users\User00\prefs.js) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O15 - Trusted Zone: .fnismls.com O15 - Trusted Zone: .mappoint.msn.com O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.108:8038/Java/cs4ms090.cab O16 - DPF: ChatSpace Java Client 2.1.0.90L - http://64.85.20.108:8038/Java/cs4msl090.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\JACKME~1\LOCALS~1\Temp\IXP000.TMP\setup.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133396710703 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.rapmls.com/RapattoniMlsPDFCreator_001.exe O16 - DPF: {A7DB6550-3269-11D4-8C30-0001023CA9DC} (Vault Files Downloader) - http://vault.alamode.com/cab/vfd.cab O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB O16 - DPF: {C118AE9E-3A30-4B96-9C1C-295AA4A1262A} - http://vault.alamode.com/cab/vaultinstall.cab O16 - DPF: {FBAF1100-303B-4C47-8FC1-A7CF1F15D346} - http://bluehill.alamode.com/updates/Vault3/vaultinstall.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: MSSQL$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQLAgent$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) -------------------- backup-20070522-171112-384 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html backup-20070522-171112-604 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com backup-20070522-171112-625 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html backup-20070522-203311-242 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com backup-20070522-203311-316 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html backup-20070522-203311-536 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com backup-20070522-203311-556 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html backup-20070525-124949-490 O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB backup-20070525-124949-592 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html backup-20070525-124949-833 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html backup-20070525-124949-875 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com backup-20070525-124949-987 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 aar1210 - c:\windows\system32\drivers\aar1210.sys <Not Verified; Adaptec, Inc.; Adaptec HostRAID for Serial ATA> R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; > R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; DirectCD> R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; DirectCD> R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7> R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys <Not Verified; Roxio; DirectCD> R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R1 pwd_2K - c:\windows\system32\drivers\pwd_2k.sys <Not Verified; Roxio; DirectCD> R1 UdfReadr_xp - c:\windows\system32\drivers\udfreadr_xp.sys <Not Verified; Roxio; DirectCD> R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys <Not Verified; Roxio; DirectCD> S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys S3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys <Not Verified; Roxio; DirectCD> S3 TLA13 - c:\docume~1\jackme~1\locals~1\temp\user.bak (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 MSSQL$ALAMODE - "c:\program files\microsoft sql server\mssql$alamode\binn\sqlservr.exe" -salamode <Not Verified; Microsoft Corporation; Microsoft SQL Server> S3 SQLAgent$ALAMODE - "c:\program files\microsoft sql server\mssql$alamode\binn\sqlagent.exe" -i alamode <Not Verified; Microsoft Corporation; Microsoft SQL Server> S4 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module> -- Scheduled Tasks ------------------------------------------------------------- 2007-05-14 09:34:21 550 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - JACK MEZZACAPPA.job -- Files created between 2007-04-25 and 2007-05-25 ----------------------------- 2007-05-25 13:03:39 0 d-------- C:\WINDOWS\CSC 2007-05-22 20:18:48 90112 --a------ C:\WINDOWS\system32\RegDACL.exe <Not Verified; Frank Heyne Software; RegTools> 2007-05-22 20:18:48 4096 --a------ C:\WINDOWS\system32\reboot.exe 2007-05-22 20:18:48 86528 --a------ C:\WINDOWS\system32\catchme.exe 2007-05-22 20:18:48 9006 --a------ C:\clean.bat 2007-05-22 17:14:16 0 d-------- C:\Documents and Settings\JACK MEZZACAPPA\DoctorWeb 2007-05-22 14:19:55 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-05-16 15:53:41 0 d-------- C:\Program Files\Lavasoft 2007-05-15 09:38:03 103522 --a------ C:\WINDOWS\system32\cafes.exe 2007-05-09 19:00:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2007-05-09 19:00:03 0 d-------- C:\Program Files\Webroot 2007-05-09 19:00:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2007-05-09 18:58:44 0 d-------- C:\Documents and Settings\JACK MEZZACAPPA\Application Data\Webroot 2007-05-07 16:14:59 0 d-------- C:\WINDOWS\system32\appmgmt 2007-05-06 14:21:37 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System> 2007-05-01 12:33:10 0 d--h----- C:\Documents and Settings\LocalService\SendTo 2007-05-01 12:33:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities 2007-05-01 12:32:49 0 d--h----- C:\Documents and Settings\LocalService\NetHood 2007-05-01 12:32:49 0 dr------- C:\Documents and Settings\LocalService\My Documents 2007-05-01 12:32:48 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-05-01 12:32:47 0 d-------- C:\Documents and Settings\LocalService\Start Menu 2007-05-01 12:32:47 0 dr-h----- C:\Documents and Settings\LocalService\Recent 2007-05-01 12:32:47 0 d-------- C:\Documents and Settings\LocalService\Desktop -- Find3M Report --------------------------------------------------------------- 2007-05-23 11:25:37 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-05-22 16:57:09 0 d-------- C:\Documents and Settings\JACK MEZZACAPPA\Application Data\Adobe 2007-05-22 15:10:22 0 d-------- C:\Program Files\Norton AntiVirus 2007-05-22 11:07:27 5 --a------ C:\WINDOWS\system32\fontqxet.dll 2007-05-21 11:06:15 0 d-------- C:\Documents and Settings\JACK MEZZACAPPA\Application Data\AdobeUM 2007-05-16 17:16:29 209 --a------ C:\WINDOWS\system32\qviexio3.dat 2007-05-16 17:16:27 1672 --a------ C:\WINDOWS\system32\comsatac.dll 2007-05-16 15:54:23 0 d-------- C:\Documents and Settings\JACK MEZZACAPPA\Application Data\Lavasoft 2007-05-16 10:27:08 6144 --a------ C:\WINDOWS\system32\shdocvs.dll <Not Verified; Microsoft Corporation; Microsoft� Windows� Operating System> 2007-05-16 10:27:07 44713 --a------ C:\WINDOWS\system32\dsuiexq.dll 2007-05-16 10:27:01 15891 --a------ C:\WINDOWS\system32\msratnit.dll 2007-05-11 09:13:12 164 --a------ C:\install.dat 2007-05-07 16:14:24 0 d-------- C:\Program Files\DivX 2007-05-07 08:56:47 16 --a------ C:\Documents and Settings\JACK MEZZACAPPA\Application Data\.rdr.ini 2007-04-20 09:10:35 97 --a------ C:\WINDOWS\system32\qviexio2.dat 2007-04-19 14:18:08 3477504 --a------ C:\WINDOWS\system32\adbilling.dll <Not Verified; a la mode, inc.; ADBilling> 2007-04-18 16:47:00 495616 --a------ C:\WINDOWS\system32\alabilling.dll <Not Verified; a la mode, inc.; alaBilling> 2007-04-12 14:16:16 4 --a------ C:\WINDOWS\system32\srvswc2.dll 2007-04-12 14:16:16 0 --a------ C:\WINDOWS\system32\comcbx2.dll 2007-04-12 14:16:13 4 --a------ C:\WINDOWS\system32\srvswc3.dll 2007-04-12 14:16:12 1504 --a------ C:\WINDOWS\system32\comcs32c.dll 2007-04-12 14:15:55 0 --a------ C:\WINDOWS\system32\winupdat.dll 2007-04-12 14:15:55 8 --a------ C:\WINDOWS\system32\commnet8.dll 2007-04-11 14:28:12 4 --a------ C:\WINDOWS\system32\defrasw.dll 2007-04-10 12:21:30 3448832 --a------ C:\WINDOWS\system32\filecabinet5.dll <Not Verified; a la mode, inc.; File Cabinet> 2007-04-09 18:14:56 122880 --a------ C:\WINDOWS\system32\alaUploader.exe 2007-04-05 17:16:56 1859584 --a------ C:\WINDOWS\system32\alacontacts.dll <Not Verified; a la mode, inc.; alaContacts> 2007-04-05 14:18:58 1028096 --a------ C:\WINDOWS\system32\adcontacts.dll <Not Verified; a la mode, inc.; ADContacts> 2007-04-04 16:22:12 1552384 --a------ C:\WINDOWS\system32\wtusers.dll <Not Verified; a la mode, inc.; WTUsers> 2007-04-03 16:45:26 647168 --a------ C:\WINDOWS\system32\aConvert.dll <Not Verified; a la mode, inc.; aConvert> 2007-04-03 09:59:52 98304 --a------ C:\WINDOWS\system32\apshext.dll <Not Verified; ; ApShExt Dynamic Link Library> 2007-04-02 11:24:00 0 --a------ C:\WINDOWS\system32\winivfop.dll 2007-03-27 19:30:54 737280 --a------ C:\WINDOWS\system32\wtapi.exe <Not Verified; a la mode, inc.; WinTOTAL API> 2007-03-26 18:05:48 479232 --a------ C:\WINDOWS\system32\aladbimport.dll <Not Verified; a la mode, inc.; alaDBImport> 2007-03-23 12:49:43 0 --a------ C:\WINDOWS\system32\kiscbxz.dat 2007-03-21 10:33:58 0 --a------ C:\WINDOWS\system32\kiscbxw.dat 2007-03-19 16:47:12 13 --a------ C:\WINDOWS\system32\rasqervy.dll 2007-03-19 16:47:11 8 --a------ C:\WINDOWS\system32\sdfinacs.dll 2007-03-19 16:47:06 22 --a------ C:\WINDOWS\system32\hnetviw.dll 2007-03-19 16:39:56 115 --a------ C:\WINDOWS\system32\wuasirvy.dll 2007-03-06 18:11:59 0 --a------ C:\WINDOWS\system32\ISHARE 2007-03-03 19:32:41 68952 --a------ C:\WINDOWS\hpoins05.dat 2007-03-03 16:37:49 23680 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-03-02 14:09:28 212992 --a------ C:\WINDOWS\system32\apex2ctl.dll <Not Verified; a la mode, inc.; Apex2Control> 2007-02-27 12:48:54 2338816 --a------ C:\WINDOWS\system32\alamapctrl.dll <Not Verified; a la mode, inc.; alaMapCtrl> -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\PROGRA~1\Yahoo!\common\yiesrvc.dll {65D886A2-7CA7-479B-BB95-14D1EFB7946A} C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} C:\Program Files\Microsoft Money\System\mnyviewer.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="\"nwiz.exe\" /install" "Logitech Utility"="Logi_MwX.Exe" "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\"" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://mediac.rapmls.com/fresnomls/listing.../063/267963.jpg [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source REG_SZ http://media.rapmls.com/rapmlsimages/MLS10/podbg.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source REG_SZ http://media.rapmls.com/fresnomls/listingp...ts=060426143308 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source REG_SZ http://mediac.rapmls.com/fresnomls/listing.../072/276772.jpg [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk" "backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe " "item"="Acrobat Assistant" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Billminder.lnk" "backup"="C:\\WINDOWS\\pss\\Billminder.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Quicken\\billmind.exe -startup" "item"="Billminder" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="awwxuu" "hkey"="HKLM" "command"="rundll32.exe \"C:\\WINDOWS\\awwxuu.dll\",setvm" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WkDetect" "hkey"="HKCU" "command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Money Express" "hkey"="HKCU" "command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pmdcx] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pmdcx" "hkey"="HKLM" "command"="C:\\WINDOWS\\pmdcx.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ybrwicon" "hkey"="HKLM" "command"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTouch" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "YPCService"=dword:00000003 "NVSvc"=dword:00000002 "ImapiService"=dword:00000003 "WMPNetworkSvc"=dword:00000003 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-05-25 at 14:31:13 --------- ---------------------------------------------------------------------- Deckard's System Scanner v20070426.43 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® 4 CPU 1.80GHz Percentage of Memory in Use: 48% Physical Memory (total/avail): 767.01 MiB / 396.71 MiB Pagefile Memory (total/avail): 1877.16 MiB / 1470.09 MiB Virtual Memory (total/avail): 2047.88 MiB / 1976.29 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 111.76 GiB total, 86.08 GiB free. D: is CDROM (No Media) E: is CDROM (No Media) F: is Network (NTFS) Y: is Removable (No Media) -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: Norton AntiVirus v2007 (Symantec Corporation) AV: Norton AntiVirus v2007 (Symantec Corporation) -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\JACK MEZZACAPPA\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=JACKSCOMPUTER ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\JACK MEZZACAPPA LOGONSERVER=\\JACKSCOMPUTER NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Adobe\AGL PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0102 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\JACKME~1\LOCALS~1\Temp TMP=C:\DOCUME~1\JACKME~1\LOCALS~1\Temp USERDOMAIN=JACKSCOMPUTER USERNAME=JACK MEZZACAPPA USERPROFILE=C:\Documents and Settings\JACK MEZZACAPPA windir=C:\WINDOWS WT=c:\win2000 -- User Profiles --------------------------------------------------------------- Owner (admin) JACK MEZZACAPPA (admin) Administrator (new local, admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks\|RealPlayer\|6.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\System32\\MSIEXEC.EXE /x {BE130CAB-F7AA-4660-96A2-6BCCE9743946} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 29371.exe --> C:\PROGRA~1\SCREEN~1\29371.exe\UNWISE.EXE C:\PROGRA~1\SCREEN~1\29371.exe\INSTALL.LOG a la mode Vault --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{821B7E84-67B0-40EE-8929-C44B20BDB43C} anything Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001} Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39} Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001} Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D} Adobe Product/Adobe Studio Update 10/2001 --> "C:\Program Files\InstallShield Installation Information\{73006B34-9743-4A39-AC37-38EDFCEB6DCE}\setup.exe" Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001} Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001} American Flag Screensaver --> C:\PROGRA~1\AMERIC~1\UNINSTAL.EXE /U C:\PROGRA~1\AMERIC~1\INSTALL.LOG AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B} AT&T Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA} AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe Broderbund Media Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{26346FB6-4F69-453D-95CE-B6BA3A5382F8}\setup.exe" -l0x9 AddRem ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3} Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\HxFSETUP.EXE -U -IVEN_14F1&DEV_2016&SUBSYS_021913E0 DataQuick� Property Pro� CD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\DataQuick\Property Pro\Uninst.isu" Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288} DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0} GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5} Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly HaxFix 4.43 --> "C:\Program Files\HaxFix\unins000.exe" HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F} Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe" HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall HP Extended Capabilities 4.7 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D} ImageMixer VCD/DVD2 for OLYMPUS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}\Setup.exe" -l0x9 UNINSTALL Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4} iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6} Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8} Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\setup.exe" UNINSTALL Logitech MouseWare 9.79.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169} Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95} Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1} Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06} Microsoft SQL Server Desktop Engine (ALAMODE) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A} Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61} Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7} Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9} Microsoft Word Viewer 97 --> C:\Program Files\WordView\setup\setup.exe Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\ Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704} Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517} Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0} Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_0_89\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8} Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43} Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8} Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8} NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf OLYMPUS Master --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BA820A24-704B-428D-9904-71A10DAC1372} /l1033 /zUNINSTALL Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan PDF-XChange 3 --> "C:\Program Files\Tracker Software\PDF-XChange 3\unins000.exe" PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel PRO200WL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{280C7673-2DF8-4E74-B031-D8F108BE2A6D}\SETUP.EXE" -uninst QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log Rapattoni MLS PDF Creator --> MsiExec.exe /I{691652E3-D900-49C8-843B-2EB459A13653} RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks\|RealPlayer\|6.0 Salesperson Exam Prep --> MsiExec.exe /I{B22CFC7C-86DD-4D4E-8898-328DDB8B6400} SBC Yahoo! DSL Activation --> C:\PROGRA~1\Yahoo!\common\undsldlk.exe Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log Shockwave Player --> MsiExec.exe /X{95D885F5-B696-11D5-9D1D-0050DAB14E03} SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56} Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe" Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" STOMP Backup MyPC --> MsiExec.exe /I{BE130CAB-F7AA-4660-96A2-6BCCE9743946} Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09} Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68} SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2} The Print Shop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}\setup.exe" -l0x9 anything Twilight Reflections --> C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Twilight Reflections\ST5UNST.LOG" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" XSite Order Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A5B5DED6-E58F-43FA-BBBC-D64170B32C29} anything -- End of Deckard's System Scanner: finished at 2007-05-25 at 14:31:13 --------- After this computer seems to be running fine, no more of those "spysweeper" messages, when a do a search i actually get results on what i "google" for and no phony websites. One thing...When i Ran "Hijackthis" this last time it gave me this error Other Than That Looking Good....Thanks To You!

SNOWHITE View Member Profile	May 28 2007, 05:49 AM Post #8
Trusted Helper Posts: 1,327 From: Macedonia OS: XP Pro, W2K, W98SE	Hello doble Step 1 Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop. CODE REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk] Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully". The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format! Step 2 Please download the OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\awwxuu.dll C:\WINDOWS\system32\cafes.exe C:\WINDOWS\system32\fontqxet.dll C:\WINDOWS\system32\qviexio3.dat C:\WINDOWS\system32\comsatac.dll C:\WINDOWS\system32\dsuiexq.dll C:\WINDOWS\system32\msratnit.dll C:\WINDOWS\system32\qviexio2.dat C:\WINDOWS\system32\srvswc2.dll C:\WINDOWS\system32\comcbx2.dll C:\WINDOWS\system32\srvswc3.dll C:\WINDOWS\system32\comcs32c.dll C:\WINDOWS\system32\commnet8.dll C:\WINDOWS\system32\defrasw.dll C:\WINDOWS\system32\winivfop.dll C:\WINDOWS\system32\kiscbxz.dat C:\WINDOWS\system32\kiscbxw.dat C:\WINDOWS\system32\rasqervy.dll C:\WINDOWS\system32\sdfinacs.dll C:\WINDOWS\system32\hnetviw.dll C:\WINDOWS\system32\wuasirvy.dll C:\WINDOWS\awwxuu.dll Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply. Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Step 3 Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Step 4 The next files are looking suspicious, so upload them at VirusTotal and post the results here: VirusTotal: 1. Go to this website: www.virustotal.com 2. Upload this file by copy/pasting it in to the file box: C:\WINDOWS\system32\winupdat.dll 3. Submit the file and copy/paste the results back into this thread. 4. Repeat the same instructions for the next files too: C:\WINDOWS\pmdcx.exe C:\WINDOWS\system32\wtusers.dll C:\WINDOWS\system32\apex2ctl.dll C:\WINDOWS\system32\filecabinet5.dll C:\WINDOWS\system32\alaUploader.exe Post back with OTMoveIt report, Combofix report, and VirusTotal file scan reports.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal blacklisted by cbl.abuseat.org	0 / 70	29th September 2009 - 01:13 PM Ivor C&G Scarf started - last by Ivor C&G Scarf
Windows XP�, 2000, 2003, NT Formatting Outlook Express news alerts to a word doc	0 / 81	8th October 2009 - 01:11 PM jeffed started - last by jeffed
Applications Network thinks DOC & XLS are HTML (and won't open them)	2 / 55	27th October 2009 - 01:35 PM Viridel started - last by rshaffer61
Office Network thinks DOC & XLS are HTML (and won't open them)	0 / 45	27th October 2009 - 01:13 PM Viridel started - last by Viridel