Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This log file...Please help!


  • Please log in to reply

#1
Brewman

Brewman

    Member

  • Member
  • PipPip
  • 42 posts
I would really really appreciate if someone can help me!! When i try to run any program it comes up with the error "This file does not have a program associated with it for performing this action." Also when I go to certain web pages it comes up with an error that says service discontinued and it always shows the web page of http://www.netspry.com. I am getting very frustrated, please some help me!!
Here is the logfile:

Logfile of HijackThis v1.98.2
Scan saved at 11:21:53 PM, on 11/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jason\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jason\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLinkTotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {393A7867-5929-4B08-9677-DA95642A4752} - C:\WINDOWS\System32\mkl.dll (file missing)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O4 - HKLM\..\Run: [DzwPLK] C:\documents and settings\jason\local settings\temp\DzwPLK.exe
O4 - HKLM\..\Run: [c2w4T] C:\documents and settings\jason\local settings\temp\c2w4T.exe
O4 - HKLM\..\Run: [5vUO2eH] C:\documents and settings\jason\local settings\temp\5vUO2eH.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlPanel] c:\windows\system32\internst32@Cleared_.exe internat.dll,loadkeyboardprofile
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLinkTotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [search page] http://www.microsoft...=ie&ar=iesearch
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com

Thanks in advance!!!!
Jason
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
You have more than one infection, and it's likely to take a few steps. First:
  • Prepare CWShredder:
    • Download CWShredder v1.59.1.
    • Save it to your desktop.
    • Do not run it yet. We will run it later.
  • Run Symantec's BackDoor Removal Tool:
    • Download the Backdoor.Agent.B Removal Tool from Symantec.
    • Follow Symantec's instructions for how to run it.
    • Be sure to save the log file. I will need to see it later.
    • Restart your computer.
  • Run CWShredder. Be sure to click Fix as opposed to Scan Only. It should find some things and remove them.
  • Restart your computer once more.
  • Post a new HijackThis log and the log Symantec's tool gave you.

  • 0

#3
Brewman

Brewman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Thanks for replying so fast!! After doing what you said this is the log file that came up:

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QJWD2N\mlb;arena=mlb;feat=standings;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;dcopt=ist;u=QUE1zAooBA8AAFNie6I;sz=728x90;tile=1;ord[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QJWD2N\arts_romanticmovies;svc=;site=romanticmovies;t=2;pc=1;fd=0;fs=0;a=;sbj=pid469;kw=;chan=arts;syn=about;tile=3;r=0;dcopt=ist;sz=336x280;ord=249C1[D0C20SA3D0q706[1].htm (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QJWD2N\homead;arena=home;arena=home2;arena=home3;type=ros;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;dpart=2;cust=no;vip=no;u=QUE1zAooBA8AAFNie6I;sz=770x40[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QJWD2N\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QJWD2N\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9QJWD2N\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[3] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\homead;arena=home;arena=home2;arena=home3;type=ros;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pos=marketing;u=;sz=185x60;tile=3;ord=2[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\homead;arena=home;arena=home2;arena=home3;type=ros;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;dpart=2;cust=no;vip=no;u=;sz=770x40;tile=6;ord=2689110[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mlb;arena=mlb;feat=standings;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;u=QUE1zAooBA8AAFNie6I;sz=160x600;tile=7;ord=37227109[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsasaleclassZ2QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocu[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsasaleclassZ2QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocu[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[3] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5I3OXAV\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[4] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsoitemstatusZ2QQsojsZ0QQsorecordsperpageZ50QQsoso[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\homead;arena=home;arena=home2;arena=home3;type=ros;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pos=marketing;u=QUE1zAooBA8AAFNie6I;sz=[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[3] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[4] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[5] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\ETWDELWN\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[6] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\homead;arena=home;arena=home2;arena=home3;type=ros;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;dpart=2;cust=no;vip=no;u=;sz=230x150;tile=7;ord=268911[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\mlb;arena=mlb;feat=standings;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;dcopt=ist;u=QUE1zAooBA8AAFNie6I;sz=728x90;tile=1;ord[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\mlb;arena=mlb;feat=standings;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;u=QUE1zAooBA8AAFNie6I;sz=160x600;tile=7;ord=32670109[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\homead;arena=home;arena=home2;arena=home3;type=ros;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;dpart=2;cust=no;vip=no;u=QUE1zAooBA8AAFNie6I;sz=230x15[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\mlb;arena=mlb;feat=scoreboard;!category=richm;type=psa;user=Anonymous;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;cust=no;vip=no;pop=off;u=QUE1zAooBA8AAFNie6I;sz=72[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJM9Q1M5\arts_romanticmovies;svc=;site=romanticmovies;t=2;pc=2;fd=0;fs=0;a=;sbj=pid469;kw=;chan=arts;syn=about;tile=3;r=0;dcopt=ist;sz=336x280;ord=249C1]G0L20SA2w0E268[1].htm (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\YP8RYTCD\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrsrtZlQQsoitemstatusZ2QQsorecordsperpageZ50QQso[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\MTWTCVSF\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocusZunknownQQsore[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\MTWTCVSF\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocusZunknownQQsore[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\6B8Z6XAP\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrsrtZlQQsoitemstatusZ2QQsorecordsperpageZ50QQso[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\6B8Z6XAP\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocusZunknownQQsoit[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\6B8Z6XAP\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocusZunknownQQsoit[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\jason\Local Settings\Temp\Temporary Internet Files\Content.IE5\23C1ALAH\mr-3000_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZQ2d1QQsatitleZmrQ2eQ203000QQsbrftogZ1QQsoZShowQ20ItemsQQsofocusZunknownQQsoit[3] (WARNING: not scanned, path to long)
Backdoor.Agent.B has not been found on your computer.
  • 0

#4
Brewman

Brewman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
this is the log file that came up when i ran Hijack this was run:

Logfile of HijackThis v1.98.2
Scan saved at 2:33:33 AM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\EarthLinkTotalAccess\MailClnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLinkTotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O4 - HKLM\..\Run: [DzwPLK] C:\documents and settings\jason\local settings\temp\DzwPLK.exe
O4 - HKLM\..\Run: [c2w4T] C:\documents and settings\jason\local settings\temp\c2w4T.exe
O4 - HKLM\..\Run: [5vUO2eH] C:\documents and settings\jason\local settings\temp\5vUO2eH.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlPanel] c:\windows\system32\internst32@Cleared_.exe internat.dll,loadkeyboardprofile
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLinkTotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [search page] http://www.microsoft...=ie&ar=iesearch
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094619181401
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...erxsigned35.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.co...ltInstaller.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?323
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
  • 0

#5
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O4 - HKLM\..\Run: [DzwPLK] C:\documents and settings\jason\local settings\temp\DzwPLK.exe
O4 - HKLM\..\Run: [c2w4T] C:\documents and settings\jason\local settings\temp\c2w4T.exe
O4 - HKLM\..\Run: [5vUO2eH] C:\documents and settings\jason\local settings\temp\5vUO2eH.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.co...ltInstaller.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\Program Files\WindUpdates <- this folder
C:\Program Files\Common Files <- this folder
C:\Program Files\Web_Rebates <- this folder
c:\windows\system32\410ir.exe
C:\Documents and Settings\jason\Application Data\smot.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#6
Brewman

Brewman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hey thanks so much for trying to help me I really appreciate this!
A couple things when I deleted those things you told me to delete in hijack this, when I ran it after I deleted them a lot of the files came back, in which I willl show you in my log file. Also the only folder I could delete was WindUpdates, the other files either didn't exsist or like when I went to try to delete the common files it said that i couldn't delete the folder. Also when I went to clean my computer it came up with an error saying that was corrupted or missing and I would need to run windows setup again. I am really getting frustrated but you are really helping me, I think we are heading in the right direction, here is the log file:

Logfile of HijackThis v1.98.2
Scan saved at 1:09:01 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLinkTotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll (file missing)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlPanel] c:\windows\system32\internst32@Cleared_.exe internat.dll,loadkeyboardprofile
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLinkTotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [search page] http://www.microsoft...=ie&ar=iesearch
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094619181401
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...erxsigned35.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.co...ltInstaller.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?323
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Thanks again!
Jason
  • 0

#7
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Stick with us Jason, we'll get it. <_<

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Reboot, reply with the results, and post a fresh log when finished.
  • 0

#8
Brewman

Brewman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
This is the new log file after doing what you said

Logfile of HijackThis v1.98.2
Scan saved at 1:44:11 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLinkTotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll (file missing)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlPanel] c:\windows\system32\internst32@Cleared_.exe internat.dll,loadkeyboardprofile
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLinkTotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [search page] http://www.microsoft...=ie&ar=iesearch
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094619181401
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...erxsigned35.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.co...ltInstaller.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?323
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
  • 0

#9
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll (file missing)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...erxsigned35.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\system32\410ir.exe
C:\Documents and Settings\jason\Application Data\smot.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#10
Brewman

Brewman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
It really is not looking like it is doing too much, whenever I erase the files that you tell me to erase, I run the scan again and it looks like they reappear! the files 410ir.exe and smot.exe do not exsist. Also when I run the virus scanner it does not find anything. Here is my new log file:

Logfile of HijackThis v1.98.2
Scan saved at 9:34:39 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLinkTotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll (file missing)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlPanel] c:\windows\system32\internst32@Cleared_.exe internat.dll,loadkeyboardprofile
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLinkTotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [search page] http://www.microsoft...=ie&ar=iesearch
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094619181401
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...erxsigned35.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.co...ltInstaller.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?323
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Signed very very very frustrated
Thanks for all your help though!!
  • 0

Advertisements


#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Run Hijack This again and make sure you are deleting your temp. files. I right click on start....go toexplore and find all the temp. files that admin. posted a few posts back. Make sure you clean your disc after that.

Go to start...programs....accessories....systems tools....disc cleanup.

reboot and post another log.
  • 0

#12
Brewman

Brewman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I did everything you said and this is the log file that came up:

Logfile of HijackThis v1.98.2
Scan saved at 11:04:53 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLinkTotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll (file missing)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA880F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLinkTotalAccess\PnEL.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlPanel] c:\windows\system32\internst32@Cleared_.exe internat.dll,loadkeyboardprofile
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [h0tsRTM8R] 410ir.exe
O4 - HKCU\..\Run: [Rpcr] C:\Documents and Settings\jason\Application Data\smot.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLinkTotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [search page] http://www.microsoft...=ie&ar=iesearch
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...94f3fdc891b75c6
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094619181401
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...erxsigned35.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.co...ltInstaller.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?323
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
  • 0

#13
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Are you sure you're deleting your temp. files? I see this entry and it's under temp. files.

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jason\Local Settings\Temp\U.dll (file missing)

What I do is I right click on explore and find all the temp. files and go in and delete them following these instructions:

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

While you do that, I will be looking at your log again. This is proving difficult. When you finish going in the temp. files, post another log.
  • 0

#14
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I just noticed something. <_<

Did you post your entire log? The only running processes you have up top is Hijack This. Can you post the entire log?
  • 0

#15
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I found this on deleting Netspry:

Advice from NetSpry: 'To delete our software and change your homepage back to the website you would like, please do the following: 1. Make sure all your Internet Explorer windows are closed (you can hit ctrl + alt and delete to get to the task manager to make sure) 2. Go to "C:/Program Files/Homepage" and Delete the entire folder. 3. Open up Internet Explorer and go to Tools then Internet Options and set your homepage there. 4. If the problem persists, please email help@netspry.com'
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP