Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack This log for PeDevice

Started by c-w-a-n , Jan 08 2007 07:17 PM

  • This topic is locked This topic is locked

#1
c-w-a-n
Posted 08 January 2007 - 07:17 PM

c-w-a-n

    Member

  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:15:34 PM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Common Files\{DCF0D7D0-02B8-1033-1221-990313000001}\Update.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PeDevice\PeDev.exe
C:\WINDOWS\System32\rsvp.exe
C:\Documents and Settings\Home Laptop\My Documents\Homework & Assignments\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Realtime Monitor.lnk = C:\Program Files\CA\eTrust\Antivirus\Realmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm265YYCA
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.pembroke.ca/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://images.autode...es/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168301106426
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.co...006_regular.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://www.scotlands...ol/viewdw32.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/d...r/int_ver34.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - https://sadreap.irsr.pri/tx_trust.CAB
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matca.../speedtest2.dll
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimed...tupv2.0.0.9.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - https://sadreap.irsr.pri/comdlg32.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ???
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe

And thank you very much to the person that can help me. This thing has been driving me crazy ever since I received my computer back.
  • 0

Advertisements

#2
harrythook
Posted 08 January 2007 - 09:53 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey c-w-a-n
Welcome to GeeksToGo :whistling:
My name is Harry, and I'll help you get this straightened out.
Give me a little time to review your log and I'll get back to you.

Harry
  • 0

#3
harrythook
Posted 09 January 2007 - 09:07 AM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hello again c-w-a-n,

Lets start by downloading a couple of tools.
Please print out these instruction for reference as we will be working in safe mode. Please follow the directions in the order given.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Webhancer

Please note any other programs that you dont recognize in that list in your next response

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm265YYCA
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.co...006_regular.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/d...r/int_ver34.CAB
O20 - AppInit_DLLs: ? ? ?




Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\WINDOWS\system32\nfomon
C:\Program Files\webHancer
C:\Program Files\Ipwindows
C:\Program Files\PeDevice
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Next run AVG:
  • IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Next run Combofix
1. Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Lets run a cleanup tool
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

[b]Lets see the results from AVG and combofix, along with a fresh HJT log please.


Harry
  • 0

#4
c-w-a-n
Posted 09 January 2007 - 05:35 PM

c-w-a-n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hey. Thank you very much, the PeDevice is off. Here are the logs you requested.


HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 6:32:05 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home Laptop\My Documents\Homework & Assignments\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Realtime Monitor.lnk = C:\Program Files\CA\eTrust\Antivirus\Realmon.exe
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.pembroke.ca/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://images.autode...es/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168301106426
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://www.scotlands...ol/viewdw32.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - https://sadreap.irsr.pri/tx_trust.CAB
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matca.../speedtest2.dll
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimed...tupv2.0.0.9.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - https://sadreap.irsr.pri/comdlg32.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe


combofix Log

Home Laptop - 07-01-09 18:25:05.63 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Home Laptop\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\preuninstallql.exe
C:\WINDOWS\system32\taskkill.com
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\quick links
C:\Program Files\Common Files\{3CF0D7D0-02B8-1033-1221-990313000001}
C:\Program Files\Common Files\{DCF0D7D0-02B8-1033-1221-990313000001}


((((((((((((((((((((((((((((((( Files Created from 2006-12-09 to 2007-01-09 ))))))))))))))))))))))))))))))))))


2007-01-09 15:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-08 22:22 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-06 01:20 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-01-06 01:20 41,984 --a------ C:\WINDOWS\system32\APTRRNTm.dll
2007-01-06 01:20 36,864 --a------ C:\WINDOWS\system32\APTRRNTl.dll
2007-01-06 01:20 <DIR> d-------- C:\Program Files\Replay Music 2
2007-01-06 01:19 <DIR> d-------- C:\Program Files\Replay Music
2007-01-03 18:28 <DIR> d-------- C:\Program Files\AdwareAlert
2007-01-03 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2006-12-26 10:29 <DIR> d-------- C:\Program Files\Audacity1.24
2006-12-24 15:54 <DIR> d--h----- C:\WINDOWS\system32\vidmon
2006-12-24 15:54 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2006-12-24 15:54 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\vidmon
2006-12-24 15:54 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\nfo
2006-12-23 21:27 <DIR> d-------- C:\Documents and Settings\Home Laptop\Application Data\Ulead Systems
2006-12-23 21:25 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-12-23 21:25 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-12-23 21:24 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-12-23 21:24 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-12-23 21:24 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-12-23 21:24 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-12-23 21:24 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-12-23 21:24 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-12-23 21:17 106,496 --------- C:\WINDOWS\UPSCR.Scr
2006-12-23 21:16 90,112 --------- C:\WINDOWS\system32\mpgvparse.dll
2006-12-23 21:16 90,112 --------- C:\WINDOWS\system32\mpgaparse.dll
2006-12-23 21:16 86,016 --------- C:\WINDOWS\system32\uvAC3Enc.dll
2006-12-23 21:16 73,728 --------- C:\WINDOWS\system32\ac3aout.dll
2006-12-23 21:16 65,536 --------- C:\WINDOWS\system32\mpgcheck.dll
2006-12-23 21:16 61,440 --------- C:\WINDOWS\system32\pcmaout.dll
2006-12-23 21:16 532,480 --------- C:\WINDOWS\system32\MCMpgDec.dll
2006-12-23 21:16 53,248 --------- C:\WINDOWS\system32\uvsc.dll
2006-12-23 21:16 315,392 --------- C:\WINDOWS\system32\mpg_dlg.dll
2006-12-23 21:16 180,224 --------- C:\WINDOWS\system32\MPEGIN.DLL
2006-12-23 21:16 147,456 --------- C:\WINDOWS\system32\mpgmux.dll
2006-12-23 21:16 124,928 --------- C:\WINDOWS\system32\MPGAOUT.DLL
2006-12-23 21:16 102,400 --------- C:\WINDOWS\system32\mpgcap32.dll
2006-12-23 21:16 10,752 --------- C:\WINDOWS\system32\MPGVOUT.dll
2006-12-23 21:15 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2006-12-23 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2006-12-23 21:11 <DIR> d-------- C:\Program Files\Ulead Systems
2006-12-23 21:10 8,192 --a------ C:\WINDOWS\system32\CoachWrp.dll
2006-12-23 21:10 46,944 --a------ C:\WINDOWS\system32\drivers\CoachUsb.sys
2006-12-23 21:10 44,256 --a------ C:\WINDOWS\system32\drivers\CoachVc.sys
2006-12-23 21:10 41,984 --a------ C:\WINDOWS\system32\CoachWia.dll
2006-12-23 21:10 16,896 --a------ C:\WINDOWS\system32\CoachDlg.dll
2006-12-23 21:10 <DIR> d-------- C:\WINDOWS\Options
2006-12-23 21:10 <DIR> d-------- C:\Program Files\Digital Video
2006-12-23 21:09 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-12-23 21:09 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-12-23 12:03 <DIR> d-------- C:\WINDOWS\pss
2006-12-23 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-09 18:26 -------- d-a------ C:\Program Files\Common Files
2007-01-09 16:19 -------- d-------- C:\Program Files\Google
2007-01-09 15:59 -------- d-------- C:\Program Files\Grisoft
2007-01-08 18:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-01-08 18:47 -------- d-------- C:\Program Files\EACOM
2007-01-05 21:27 -------- d-------- C:\Program Files\Aurora Digital Imaging
2007-01-05 21:21 -------- d-------- C:\Program Files\BitTorrent
2006-12-26 16:30 -------- d-------- C:\Program Files\MSN Messenger
2006-12-26 16:30 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-12-26 15:45 -------- d-------- C:\Program Files\MyWebSearch
2006-12-26 10:11 -------- d-------- C:\Program Files\Internet Explorer
2006-12-26 10:10 -------- d-------- C:\Program Files\MessengerPlus! 3
2006-12-26 10:08 -------- d-------- C:\Program Files\Rogers
2006-12-26 10:08 -------- d-------- C:\Program Files\iWin
2006-12-25 11:31 -------- d-------- C:\Program Files\Windows Media Player
2006-12-23 11:36 -------- d---s---- C:\Documents and Settings\Home Laptop\Application Data\Microsoft
2006-12-03 21:47 873 --a------ C:\Documents and Settings\Home Laptop\Application Data\AdobeDLM.log
2006-12-03 21:47 0 --a------ C:\Documents and Settings\Home Laptop\Application Data\dm.ini
2006-12-03 21:47 -------- d-------- C:\Program Files\Adobe
2006-12-03 21:39 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-03 21:39 -------- d-------- C:\Documents and Settings\Home Laptop\Application Data\Adobe
2006-11-26 18:37 -------- d-------- C:\Program Files\Citrix
2006-11-18 03:43 -------- d-------- C:\Program Files\LimeWire
2006-11-18 00:35 -------- d-------- C:\Program Files\Java
2006-11-13 09:17 -------- d-------- C:\Program Files\FunWebProducts


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Realtime Monitor"="\"C:\\Program Files\\CA\\eTrust\\Antivirus\\realmon.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WIAWizardMenu"="RUNDLL32.EXE C:\\WINDOWS\\system32\\sti_ci.dll,WiaCreateWizardMenu"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=hex:20,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Home Laptop^Start Menu^Programs^Startup^csrss.lnk]
"path"="C:\\Documents and Settings\\Home Laptop\\Start Menu\\Programs\\Startup\\csrss.lnk"
"backup"="C:\\WINDOWS\\pss\\csrss.lnkStartup"
"location"="Startup"
"command"=" "
"item"="csrss"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uwfx6"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\WinFixer_2006\\uwfx6.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON PictureMate Deluxe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_FATI9TA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9TA.EXE /P24 \"EPSON PictureMate Deluxe\" /O6 \"USB001\" /M \"PictureMate Deluxe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_FATIADA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P26 \"EPSON Stylus CX4800 Series\" /O6 \"USB002\" /M \"Stylus CX4800\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="csrss"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\yghrvwy\\csrss.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\2.bin\\mwsoemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="csrss"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\yghrvwy\\csrss.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHS"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Rogers\\SelfHealing\\SHS.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tray.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tray"
"hkey"="HKCU"
"command"="\"C:\\Documents and Settings\\Home Laptop\\My Documents\\My Music\\Ripped Vids\\tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Rogers\\Update Manager\\UpdateManager.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WeatherEye"
"hkey"="HKCU"
"command"="C:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFixer2006]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uwfx6"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\WinFixer_2006\\uwfx6.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-09 18:27:35.94
C:\ComboFix.txt ... 07-01-09 18:27


AVG Scan

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:16:29 PM 1/9/2007

+ Scan result:



C:\Documents and Settings\Home Laptop\Local Settings\Temp\Del55.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\system32\navshext1.dll -> Adware.Chiem : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-854245398-152049171-1060284298-1003\Dc2\PeDev.dll -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1 -> Adware.Delfin : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-854245398-152049171-1060284298-1003\Dc4\nfo.ocx -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5432912-5BAB-4269-B25F-02DE09359163}\RP3\A0001032.exe -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5432912-5BAB-4269-B25F-02DE09359163}\RP3\A0001033.dll -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
HKU\S-1-5-21-854245398-152049171-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-854245398-152049171-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdwareAlert_is1 -> Adware.GoodByeSpyware : Cleaned with backup (quarantined).
HKU\S-1-5-21-854245398-152049171-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} -> Adware.LinkMaker : Cleaned with backup (quarantined).
C:\Program Files\ipwins\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-854245398-152049171-1060284298-1003\Dc3\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\B2C27.tmp/PMTInstaller.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\b122.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\b130.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\b131.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temporary Internet Files\Content.IE5\GVQF2T6P\131[1].net -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temporary Internet Files\Content.IE5\UDOZIDU5\122[1].net -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{DCF0D7D0-02B8-1033-1221-990313000001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{DCF0D7D0-02B8-1033-1221-990313000001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\qlink32.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\uninstall.exe -> Adware.SurfAcc : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\b129.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-854245398-152049171-1060284298-1003\Dc1\Programs\whinstaller.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5432912-5BAB-4269-B25F-02DE09359163}\RP3\A0001031.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup (quarantined).
D:\Power Management\MediaGateway.exe -> Adware.WinAD : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WinAntiSpyware 2006 Scanner -> Adware.WinAntiSpyware : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\mc-110-12-0001411.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mcnew.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\updater.exe -> Downloader.IstBar.oy : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\b116.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\My Documents\Homework & Assignments\backups\backup-20070109-163256-346.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\b104.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\ipwins\Uninst.exe -> Dropper.DollarR.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\installer.exe -> Dropper.PurityScan.q : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Local Settings\Temp\temp.fr2A56 -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\speedtest2.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Home Laptop\Cookies\home laptop@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.110:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.45:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.46:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Home Laptop\Local Settings\Temp\Cookies\home [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.18:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.68:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Home Laptop\Local Settings\Temp\Cookies\home laptop@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.12:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.13:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.14:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.15:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.16:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.65:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.10:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.11:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.9:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.116:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.121:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.122:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.137:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.102:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.124:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.126:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.127:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.128:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Home Laptop\Local Settings\Temp\Cookies\home [email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.131:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.132:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.133:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.134:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.162:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.163:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.158:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.159:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home [email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.47:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.129:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.130:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.19:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.20:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.176:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.77:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.78:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.79:C:\Documents and Settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ia1q32fv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home [email protected][3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Home Laptop\Cookies\home laptop@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Home Laptop\Local Settings\Temp\ICD4.tmp\UWAS6_0001_N69M0903NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N69M0903NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vsetup.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


Thanks alot again.
  • 0

#5
c-w-a-n
Posted 09 January 2007 - 10:30 PM

c-w-a-n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Also, there were some programs that I did not recognize:

WebDP 2.07
Quick Links
Media Tickets By OIN
XVID Codec Installation
Nortel-Config
IpWins

Thanks.
  • 0

#6
harrythook
Posted 11 January 2007 - 08:51 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hi c-w-a-n,
Sorry for all the delays, its been a little busy here.

Please copy the entire contents in the code box below and place it in notepad. Save this as hregfix.reg on your desktop.

Windows Registry Editor Version 5.00 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Home Laptop^Start Menu^Programs^Startup^csrss.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tray.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFixer2006]


Next navigate to that file, hregfix.reg, and double click on it to allow it to run.

Next:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

WebDP 2.07
Quick Links
Media Tickets By OIN
IpWins

Please note any other programs that you dont recognize in that list in your next response




Copy everything inside the quote box below (starting with @) and paste it into notepad.
Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files".
Save it as Harry.baton your desktop 
@Echo off
attrib -s -r -h "C:\WINDOWS\pss\*.*"
rd /q /s "C:\WINDOWS\pss"
attrib -s -r -h "C:\Program Files\WinFixer_2006\*.*"
rd /q /s "C:\Program Files\WinFixer_2006"
attrib -s -r -h "C:\WINDOWS\system32\yghrvwy\*.*"
rd /q /s "C:\WINDOWS\system32\yghrvwy"
attrib -s -r -h "C:\Program Files\MyWebSearch\*.*"
rd /q /s "C:\Program Files\MyWebSearch"
attrib -s -r -h "C:\Documents and Settings\Home Laptop\My Documents\My Music\Ripped Vids\tray.exe"
del /q "C:\Documents and Settings\Home Laptop\My Documents\My Music\Ripped Vids\tray.exe"
attrib -s -r -h "C:\WINDOWS\iun6002.exe"
del /q "C:\WINDOWS\iun6002.exe"
quit

Return to your desktop and double click on the icon for Harry.bat A brief window will pop up and dissapear, This is normal.

Next:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

So give me the Uninstall list and a fresh HJT log please.

Harry

Edited by harrythook, 11 January 2007 - 08:51 PM.

  • 0

#7
c-w-a-n
Posted 17 January 2007 - 03:54 PM

c-w-a-n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey, sorry it has been so long, I haven't had a chance to do much work on my computer, I've been on a mini tour with my friends and I've missed a bunch of school so I really need to catch up. But here are the logs you asked for.

uninstal list


Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Audacity 1.2.4
AVG Anti-Spyware 7.5
AviSynth 2.5
Digital Video
Doom Shareware for Windows 95
EPSON CX 4200 4800 Guide
EPSON Printer Software
eTrust Antivirus
Guitar Pro 5.0
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
IBM ThinkPad Power Management Driver
InterActual Player
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 9
LimeWire 4.12.6
Macromedia Shockwave Player
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Money 2006
Microsoft Office 2000 Premium
MPEG Encoder 3
MSN Music Assistant
My Web Search (Zwinky)
Nortel Networks Contivity VPN Client
Nortel-Config
Paragon CD-ROM Emulator
PowerDVD
QuickTime
RealPlayer
Replay Music 2.51
Rogers Update Manager (remove only)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Ulead COOL 360 1.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Update Manager
Video to Audio Converter 1.00
Videora iPod Converter 0.91
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WAV MP3 Converter v2.3 build 663
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XVID Codec Installation




and the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:53:44 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Home Laptop\My Documents\Homework & Assignments\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - Startup: Realtime Monitor.lnk = C:\Program Files\CA\eTrust\Antivirus\Realmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035YYCA
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.pembroke.ca/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://images.autode...es/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168301106426
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://www.scotlands...ol/viewdw32.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - https://sadreap.irsr.pri/tx_trust.CAB
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matca.../speedtest2.dll
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimed...tupv2.0.0.9.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - https://sadreap.irsr.pri/comdlg32.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe


Thanks again.
  • 0

#8
harrythook
Posted 18 January 2007 - 08:06 AM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hi c-w-a-n, welcome back. :whistling:

I see a few new items in your log, and I need to know if you executed the instructions from post #6.
Please confirm that these instructions were followed, or perform them now.

Next, re-think the limewire / P2P programs. These type of programs are a hotbed for infections, good idea to stay away from them.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035YYCA
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/installer.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

MyWebSearch

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\MyWebSearch

After that, Reboot.


Next run AVG:
  • IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Give me the AVG results and another HJT please.

Harry
  • 0

#9
OwNt
Posted 03 February 2007 - 08:38 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP