Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob.dnschanger Won't Go Away!


  • Please log in to reply
15 replies to this topic

#1 fasterpssycat

fasterpssycat

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 26 July 2007 - 08:25 PM

Hello all. I've been working on this problem for three days now. I am not the best with computers, but I'm learning quickly through this ordeal. I originally had the WinMsg.exe file, AntiVirusDisable, and FirewallDisable, along with the Zlob. That's the only part that's still around, I've gotten rid of everything else. I have SpySweeper, NAV, Windows Defender, and SpyBot. I've already done the fix.reg thing. Here's my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:13 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\AntiVirus 2007\svc_au32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D4A94C-AFD9-4F10-B6EB-1960C9536C70}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C26EF83-D0E0-4AE5-8AA1-B5F89DAB7B5B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{98961F3A-EADA-45FF-891C-6C601B204C64}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4993CF1-385B-4CC5-AC5C-51524955AB6F}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D4A94C-AFD9-4F10-B6EB-1960C9536C70}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11813 bytes

And here's the several SpySweeper runs I've done today:

8:19 PM: None
8:19 PM: Traces Found: 0
8:19 PM: Full Sweep has completed. Elapsed time 02:51:39
8:19 PM: File Sweep Complete, Elapsed Time: 02:36:02
8:16 PM: Warning: Unable to sweep compressed file: External exception C0000006
8:15 PM: Warning: Unable to sweep compressed file: External exception C0000006
8:14 PM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
8:13 PM: Warning: The file sweep got stuck and had to be terminated and restarted in "safe" (slow) mode.
8:07 PM: Warning: Failed to read file "c:\i386\kb888310.exe". Data error (cyclic redundancy check)
8:05 PM: Warning: Failed to read file "c:\i386\fxsxp32.dll". Data error (cyclic redundancy check)
8:04 PM: Warning: Failed to read file "c:\i386\dnary.mdb". Data error (cyclic redundancy check)
8:03 PM: Warning: Failed to read file "c:\i386\cmd.exe". Data error (cyclic redundancy check)
8:00 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\my pictures\2006_1105zoo\2006_1105zoo0098.jpg". Data error (cyclic redundancy check)
7:59 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\my pictures\2006_1105zoo\2006_1105zoo0040.jpg". Data error (cyclic redundancy check)
7:58 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\my pictures\2006_0821dc\2006_0821dc0016 (2).jpg". Data error (cyclic redundancy check)
7:55 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\my music\lynyrd skynyrd\all time greatest hits\13 that smell.wma". Data error (cyclic redundancy check)
7:52 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\downloaded program updates\update manager\recordnow data (basic) 2.0.0.1\data2001basic.exe". External exception C0000006
7:47 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\local settings\temporary internet files\content.ie5\opeb4x6n\ol-fdbkv3_r1[1].js". Data error (cyclic redundancy check)
7:42 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\local settings\temporary internet files\content.ie5\85gpyv81\music[4].mp3". Data error (cyclic redundancy check)
7:36 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\local settings\application data\microsoft\windows defender\filetracker\{a091ba42-d730-482f-84e0-6656a6e2da71}". The process cannot access the file because it is being used by another process
7:36 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
7:36 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
7:35 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\application data\sun\java\deployment\cache\javapi\v1.0\jar\pa014r01.jar-742e7abc-6146a4c7.zip". Data error (cyclic redundancy check)
7:34 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\ntuser.dat.log". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\ntuser.dat". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\data\settings.dat". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
7:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
7:33 PM: Warning: Failed to open file "c:\pagefile.sys". The process cannot access the file because it is being used by another process
7:33 PM: Warning: Failed to open file "c:\hiberfil.sys". The process cannot access the file because it is being used by another process
7:33 PM: Warning: ProcessFiles DDA: Maximum error count exceeded. Restarting scan without Direct Disk Access. Volume may have been removed, or became unstable
7:33 PM: Warning: DDA Failure, error reading data. Index:48424. TVolumeNtNTFS.Read failed 2: Read starts at: 0x12A02A000 Len :0xC000
7:26 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\downloaded program updates\update manager\recordnow data (basic) 2.0.0.1\data2001basic.exe". External exception C0000006
7:13 PM: Warning: DDA Failure, error reading data. Index:45966. TVolumeNtNTFS.Read failed 2: Read starts at: 0xB0BCC000 Len :0xE000
7:05 PM: Warning: DDA Failure, error reading data. Index:45753. TVolumeNtNTFS.Read failed 1: Read starts at: 0xA80A3000 Len :0x5000
6:38 PM: Warning: DDA Failure, error reading data. Index:45663. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA4587000 Len :0xC000
6:38 PM: Warning: DDA Failure, error reading data. Index:45644. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA3EA5000 Len :0x10000
6:30 PM: Warning: Could not scan c:\windows\microsoft.net\framework\v1.1.4322\system.enterpriseservices.dll with file offset match. Error: External exception C0000006
6:30 PM: Warning: DDA Failure, error reading data. Index:45620. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA3406000 Len :0x10000
6:29 PM: Warning: DDA Failure, error reading data. Index:45613. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA32EE000 Len :0xC000
6:29 PM: Warning: DDA Failure, error reading data. Index:45612. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA31CE000 Len :0xF000
6:29 PM: Warning: DDA Failure, error reading data. Index:45606. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA2F86000 Len :0x10000
6:27 PM: Warning: DDA Failure, error reading data. Index:45529. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9F22C000 Len :0xF000
6:27 PM: Warning: DDA Failure, error reading data. Index:45528. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9F1C8000 Len :0x10000
6:20 PM: Warning: Could not scan c:\windows\microsoft.net\framework\v1.1.4322\c_g18030.dll with file offset match. Error: External exception C0000006
6:18 PM: Warning: DDA Failure, error reading data. Index:45479. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9BD9F000 Len :0x10000
6:17 PM: Warning: DDA Failure, error reading data. Index:45469. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9B53C000 Len :0xD000
6:14 PM: Warning: DDA Failure, error reading data. Index:45467. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9B41C000 Len :0xD000
6:13 PM: Warning: DDA Failure, error reading data. Index:45454. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9ABCA000 Len :0xD000
6:12 PM: Warning: DDA Failure, error reading data. Index:45350. TVolumeNtNTFS.Read failed 2: Read starts at: 0x97EBE000 Len :0x10000
6:06 PM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
5:53 PM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
5:43 PM: Starting File Sweep
5:43 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
5:43 PM: Starting Cookie Sweep
5:43 PM: Registry Sweep Complete, Elapsed Time:00:00:41
5:42 PM: Starting Registry Sweep
5:42 PM: Memory Sweep Complete, Elapsed Time: 00:14:41
5:27 PM: Starting Memory Sweep
5:27 PM: Start Full Sweep
5:27 PM: Sweep initiated using definitions version 954
5:27 PM: None
5:27 PM: Traces Found: 0
5:27 PM: Sweep Canceled
5:27 PM: Start Full Sweep
5:27 PM: Sweep initiated using definitions version 954
5:19 PM: None
5:19 PM: Traces Found: 0
5:19 PM: Memory Sweep Complete, Elapsed Time: 00:19:00
5:19 PM: Sweep Canceled
5:00 PM: Starting Memory Sweep
5:00 PM: Start Full Sweep
5:00 PM: Sweep initiated using definitions version 954
3:23 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
3:23 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
Keylogger: Off
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
3:22 PM: Shield States
3:22 PM: License Check Status (0): Success
3:22 PM: Spyware Definitions: 954
3:19 PM: Spy Sweeper 5.5.1.3356 started
3:19 PM: Spy Sweeper 5.5.1.3356 started
3:19 PM: | Start of Session, Thursday, July 26, 2007 |
***************
2:07 PM: Program Version 5.5.1.3356 Using Spyware Definitions 954
2:07 PM: Spy Sweeper 5.5.1.3356 started
2:07 PM: | Start of Session, Thursday, July 26, 2007 |
***************
2:59 PM: Deletion from quarantine completed. Elapsed time 00:00:00
2:59 PM: Processing: hermoment.com cookie
2:59 PM: Processing: myaffiliateprogram.com cookie
2:59 PM: Processing: onestat.com cookie
2:59 PM: Processing: yieldmanager cookie
2:59 PM: Processing: yadro cookie
2:59 PM: Processing: xxxcounter cookie
2:59 PM: Processing: xiti cookie
2:59 PM: Processing: wirefly cookie
2:59 PM: Processing: starware.com cookie
2:59 PM: Processing: redzip cookie
2:59 PM: Processing: burstbeacon cookie
2:59 PM: Processing: web-stat cookie
2:59 PM: Processing: webpower cookie
2:59 PM: Processing: valuead cookie
2:59 PM: Processing: tripod cookie
2:59 PM: Processing: tribalfusion cookie
2:59 PM: Processing: trb.com cookie
2:59 PM: Processing: trafficmp cookie
2:59 PM: Processing: tickle cookie
2:59 PM: Processing: tacoda cookie
2:59 PM: Processing: serving-sys cookie
2:59 PM: Processing: server.iad.liveperson cookie
2:59 PM: Processing: adjuggler cookie
2:59 PM: Processing: revenue.net cookie
2:59 PM: Processing: reunion cookie
2:59 PM: Processing: realmedia cookie
2:59 PM: Processing: overture cookie
2:59 PM: Processing: maxserving cookie
2:59 PM: Processing: ic-live cookie
2:59 PM: Processing: go.com cookie
2:59 PM: Processing: gamespy cookie
2:59 PM: Processing: atwola cookie
2:59 PM: Processing: falkag cookie
2:59 PM: Processing: pointroll cookie
2:59 PM: Processing: adknowledge cookie
2:59 PM: Processing: about cookie
2:59 PM: Processing: 2o7.net cookie
2:59 PM: Processing: questionmarket cookie
2:59 PM: Processing: pro-market cookie
2:59 PM: Processing: monstermarketplace cookie
2:59 PM: Processing: findwhat cookie
2:59 PM: Processing: atlas dmt cookie
2:59 PM: Processing: seekmo search assistant
2:59 PM: Deletion from quarantine initiated
2:59 PM: Removal process completed. Elapsed time 00:00:52
2:59 PM: Quarantining All Traces: hermoment.com cookie
2:59 PM: Quarantining All Traces: myaffiliateprogram.com cookie
2:59 PM: Quarantining All Traces: onestat.com cookie
2:59 PM: Quarantining All Traces: yieldmanager cookie
2:59 PM: Quarantining All Traces: yadro cookie
2:59 PM: Quarantining All Traces: xxxcounter cookie
2:59 PM: Quarantining All Traces: xiti cookie
2:59 PM: Quarantining All Traces: wirefly cookie
2:59 PM: Quarantining All Traces: starware.com cookie
2:59 PM: Quarantining All Traces: redzip cookie
2:59 PM: Quarantining All Traces: burstbeacon cookie
2:59 PM: Quarantining All Traces: web-stat cookie
2:59 PM: Quarantining All Traces: webpower cookie
2:59 PM: Quarantining All Traces: valuead cookie
2:59 PM: Quarantining All Traces: tripod cookie
2:59 PM: Quarantining All Traces: tribalfusion cookie
2:59 PM: Quarantining All Traces: trb.com cookie
2:59 PM: Quarantining All Traces: trafficmp cookie
2:59 PM: Quarantining All Traces: tickle cookie
2:59 PM: Quarantining All Traces: tacoda cookie
2:59 PM: Quarantining All Traces: serving-sys cookie
2:59 PM: Quarantining All Traces: server.iad.liveperson cookie
2:59 PM: Quarantining All Traces: adjuggler cookie
2:59 PM: Quarantining All Traces: revenue.net cookie
2:59 PM: Quarantining All Traces: reunion cookie
2:59 PM: Quarantining All Traces: realmedia cookie
2:59 PM: Quarantining All Traces: overture cookie
2:59 PM: Quarantining All Traces: maxserving cookie
2:59 PM: Quarantining All Traces: ic-live cookie
2:58 PM: Quarantining All Traces: go.com cookie
2:58 PM: Quarantining All Traces: gamespy cookie
2:58 PM: Quarantining All Traces: atwola cookie
2:58 PM: Quarantining All Traces: falkag cookie
2:58 PM: Quarantining All Traces: pointroll cookie
2:58 PM: Quarantining All Traces: adknowledge cookie
2:58 PM: Quarantining All Traces: about cookie
2:58 PM: Quarantining All Traces: 2o7.net cookie
2:58 PM: Quarantining All Traces: questionmarket cookie
2:58 PM: Quarantining All Traces: pro-market cookie
2:58 PM: Quarantining All Traces: monstermarketplace cookie
2:58 PM: Quarantining All Traces: findwhat cookie
2:58 PM: Quarantining All Traces: atlas dmt cookie
2:58 PM: Quarantining All Traces: seekmo search assistant
2:58 PM: Removal process initiated
2:57 PM: Traces Found: 113
2:57 PM: Full Sweep has completed. Elapsed time 00:49:53
2:57 PM: File Sweep Complete, Elapsed Time: 00:47:37
2:56 PM: Warning: Unable to sweep compressed file: External exception C0000006
2:56 PM: Warning: Unable to sweep compressed file: External exception C0000006
2:55 PM: Warning: Unable to sweep compressed file: External exception C0000006
2:55 PM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
2:53 PM: Warning: The file sweep got stuck and had to be terminated and restarted in "safe" (slow) mode.
2:50 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\local settings\temporary internet files\content.ie5\opeb4x6n\ol-fdbkv3_r1[1].js". Data error (cyclic redundancy check)
2:46 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\local settings\temporary internet files\content.ie5\85gpyv81\music[4].mp3". Data error (cyclic redundancy check)
2:42 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
2:42 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
2:41 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\application data\sun\java\deployment\cache\javapi\v1.0\jar\pa014r01.jar-742e7abc-6146a4c7.zip". Data error (cyclic redundancy check)
2:40 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\ntuser.dat.log". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\documents and settings\rusty hackelford\ntuser.dat". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\data\settings.dat". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
2:40 PM: Warning: Failed to open file "c:\pagefile.sys". The process cannot access the file because it is being used by another process
2:40 PM: Warning: ProcessFiles DDA: Maximum error count exceeded. Restarting scan without Direct Disk Access. Volume may have been removed, or became unstable
2:40 PM: Warning: DDA Failure, error reading data. Index:48499. TVolumeNtNTFS.Read failed 2: Read starts at: 0x12A02A000 Len :0xC000
2:37 PM: Warning: Failed to read file "c:\documents and settings\rusty hackelford\my documents\downloaded program updates\update manager\recordnow data (basic) 2.0.0.1\data2001basic.exe". External exception C0000006
2:37 PM: Warning: Could not scan c:\windows\$hf_mig$\kb920342\sp2qfe\xpsp3res.dll with file offset match. Error: External exception C0000006
2:36 PM: Warning: Could not scan c:\windows\system32\wiaacmgr.exe with file offset match. Error: External exception C0000006
2:35 PM: Warning: DDA Failure, error reading data. Index:46064. TVolumeNtNTFS.Read failed 2: Read starts at: 0xB0BCC000 Len :0xE000
2:33 PM: Warning: DDA Failure, error reading data. Index:45855. TVolumeNtNTFS.Read failed 1: Read starts at: 0xA80A3000 Len :0x5000
2:30 PM: Warning: DDA Failure, error reading data. Index:45765. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA4587000 Len :0xC000
2:30 PM: Warning: DDA Failure, error reading data. Index:45746. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA3EA5000 Len :0x10000
2:29 PM: Warning: Could not scan c:\windows\microsoft.net\framework\v1.1.4322\system.enterpriseservices.dll with file offset match. Error: External exception C0000006
2:29 PM: Warning: DDA Failure, error reading data. Index:45722. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA3406000 Len :0x10000
2:28 PM: Warning: DDA Failure, error reading data. Index:45715. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA32EE000 Len :0xC000
2:27 PM: Warning: DDA Failure, error reading data. Index:45714. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA31CE000 Len :0xF000
2:27 PM: Warning: DDA Failure, error reading data. Index:45708. TVolumeNtNTFS.Read failed 2: Read starts at: 0xA2F86000 Len :0x10000
2:26 PM: Warning: DDA Failure, error reading data. Index:45631. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9F22C000 Len :0xF000
2:26 PM: Warning: DDA Failure, error reading data. Index:45630. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9F1C8000 Len :0x10000
2:25 PM: Warning: Could not scan c:\windows\microsoft.net\framework\v1.1.4322\c_g18030.dll with file offset match. Error: External exception C0000006
2:24 PM: Warning: DDA Failure, error reading data. Index:45581. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9BD9F000 Len :0x10000
2:24 PM: Warning: DDA Failure, error reading data. Index:45571. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9B53C000 Len :0xD000
2:24 PM: Warning: DDA Failure, error reading data. Index:45569. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9B41C000 Len :0xD000
2:22 PM: Warning: DDA Failure, error reading data. Index:45556. TVolumeNtNTFS.Read failed 2: Read starts at: 0x9ABCA000 Len :0xD000
2:22 PM: Warning: DDA Failure, error reading data. Index:45456. TVolumeNtNTFS.Read failed 2: Read starts at: 0x97EBE000 Len :0x10000
2:10 PM: Starting File Sweep
2:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
2:10 PM: cookies.txt (ID = 2774)
2:10 PM: cookies.txt (ID = 2774)
2:10 PM: cookies.txt (ID = 2774)
2:10 PM: cookies.txt (ID = 2774)
2:10 PM: Found Spy Cookie: hermoment.com cookie
2:10 PM: cookies.txt (ID = 3032)
2:10 PM: Found Spy Cookie: myaffiliateprogram.com cookie
2:10 PM: cookies.txt (ID = 3098)
2:10 PM: cookies.txt (ID = 3098)
2:10 PM: Found Spy Cookie: onestat.com cookie
2:10 PM: cookies.txt (ID = 3106)
2:10 PM: cookies.txt (ID = 3751)
2:10 PM: cookies.txt (ID = 3751)
2:10 PM: cookies.txt (ID = 3751)
2:10 PM: cookies.txt (ID = 3749)
2:10 PM: Found Spy Cookie: yieldmanager cookie
2:10 PM: cookies.txt (ID = 3743)
2:10 PM: Found Spy Cookie: yadro cookie
2:10 PM: cookies.txt (ID = 3733)
2:10 PM: cookies.txt (ID = 3733)
2:10 PM: Found Spy Cookie: xxxcounter cookie
2:10 PM: cookies.txt (ID = 3717)
2:10 PM: Found Spy Cookie: xiti cookie
2:10 PM: cookies.txt (ID = 3694)
2:10 PM: Found Spy Cookie: wirefly cookie
2:10 PM: cookies.txt (ID = 3442)
2:10 PM: Found Spy Cookie: starware.com cookie
2:10 PM: cookies.txt (ID = 3250)
2:10 PM: Found Spy Cookie: redzip cookie
2:10 PM: cookies.txt (ID = 2335)
2:10 PM: Found Spy Cookie: burstbeacon cookie
2:10 PM: cookies.txt (ID = 3648)
2:10 PM: cookies.txt (ID = 3648)
2:10 PM: cookies.txt (ID = 3648)
2:10 PM: Found Spy Cookie: web-stat cookie
2:10 PM: cookies.txt (ID = 3660)
2:10 PM: Found Spy Cookie: webpower cookie
2:10 PM: cookies.txt (ID = 3626)
2:10 PM: cookies.txt (ID = 3626)
2:10 PM: cookies.txt (ID = 3626)
2:10 PM: cookies.txt (ID = 3626)
2:10 PM: Found Spy Cookie: valuead cookie
2:10 PM: cookies.txt (ID = 3591)
2:10 PM: Found Spy Cookie: tripod cookie
2:10 PM: cookies.txt (ID = 3589)
2:10 PM: Found Spy Cookie: tribalfusion cookie
2:10 PM: cookies.txt (ID = 3587)
2:10 PM: cookies.txt (ID = 3587)
2:10 PM: Found Spy Cookie: trb.com cookie
2:10 PM: cookies.txt (ID = 3581)
2:10 PM: cookies.txt (ID = 3581)
2:10 PM: cookies.txt (ID = 3581)
2:10 PM: cookies.txt (ID = 3581)
2:10 PM: cookies.txt (ID = 3581)
2:10 PM: cookies.txt (ID = 3581)
2:10 PM: Found Spy Cookie: trafficmp cookie
2:10 PM: cookies.txt (ID = 3529)
2:10 PM: Found Spy Cookie: tickle cookie
2:10 PM: cookies.txt (ID = 6444)
2:10 PM: cookies.txt (ID = 6444)
2:10 PM: Found Spy Cookie: tacoda cookie
2:10 PM: cookies.txt (ID = 3343)
2:10 PM: cookies.txt (ID = 3343)
2:10 PM: cookies.txt (ID = 3343)
2:10 PM: cookies.txt (ID = 3343)
2:10 PM: cookies.txt (ID = 3343)
2:10 PM: Found Spy Cookie: serving-sys cookie
2:10 PM: cookies.txt (ID = 3341)
2:10 PM: Found Spy Cookie: server.iad.liveperson cookie
2:10 PM: cookies.txt (ID = 2729)
2:10 PM: cookies.txt (ID = 2729)
2:10 PM: cookies.txt (ID = 2071)
2:10 PM: Found Spy Cookie: adjuggler cookie
2:10 PM: cookies.txt (ID = 3257)
2:10 PM: Found Spy Cookie: revenue.net cookie
2:10 PM: cookies.txt (ID = 3255)
2:10 PM: cookies.txt (ID = 3255)
2:10 PM: cookies.txt (ID = 3255)
2:10 PM: cookies.txt (ID = 3255)
2:10 PM: Found Spy Cookie: reunion cookie
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: cookies.txt (ID = 3235)
2:10 PM: Found Spy Cookie: realmedia cookie
2:10 PM: cookies.txt (ID = 3217)
2:10 PM: cookies.txt (ID = 3217)
2:10 PM: cookies.txt (ID = 3217)
2:10 PM: cookies.txt (ID = 3217)
2:10 PM: cookies.txt (ID = 3106)
2:10 PM: Found Spy Cookie: overture cookie
2:10 PM: cookies.txt (ID = 2966)
2:10 PM: cookies.txt (ID = 2966)
2:10 PM: Found Spy Cookie: maxserving cookie
2:10 PM: cookies.txt (ID = 2821)
2:10 PM: Found Spy Cookie: ic-live cookie
2:10 PM: cookies.txt (ID = 2728)
2:10 PM: Found Spy Cookie: go.com cookie
2:10 PM: cookies.txt (ID = 2719)
2:10 PM: Found Spy Cookie: gamespy cookie
2:10 PM: cookies.txt (ID = 2255)
2:10 PM: Found Spy Cookie: atwola cookie
2:10 PM: cookies.txt (ID = 2253)
2:10 PM: cookies.txt (ID = 2650)
2:10 PM: cookies.txt (ID = 2650)
2:10 PM: cookies.txt (ID = 2650)
2:10 PM: cookies.txt (ID = 2650)
2:10 PM: Found Spy Cookie: falkag cookie
2:10 PM: cookies.txt (ID = 3148)
2:10 PM: cookies.txt (ID = 3148)
2:10 PM: cookies.txt (ID = 3148)
2:10 PM: cookies.txt (ID = 3148)
2:10 PM: Found Spy Cookie: pointroll cookie
2:10 PM: cookies.txt (ID = 2072)
2:10 PM: cookies.txt (ID = 2072)
2:10 PM: Found Spy Cookie: adknowledge cookie
2:10 PM: cookies.txt (ID = 2037)
2:10 PM: cookies.txt (ID = 2037)
2:10 PM: cookies.txt (ID = 2037)
2:10 PM: cookies.txt (ID = 2037)
2:10 PM: cookies.txt (ID = 2037)
2:10 PM: cookies.txt (ID = 2037)
2:10 PM: Found Spy Cookie: about cookie
2:10 PM: cookies.txt (ID = 1957)
2:10 PM: cookies.txt (ID = 1957)
2:10 PM: cookies.txt (ID = 1957)
2:10 PM: cookies.txt (ID = 1957)
2:10 PM: cookies.txt (ID = 1957)
2:10 PM: Found Spy Cookie: 2o7.net cookie
2:10 PM: rusty_hackelford@www.monstermarketplace[2].txt (ID = 3007)
2:10 PM: rusty_hackelford@questionmarket[1].txt (ID = 3217)
2:10 PM: Found Spy Cookie: questionmarket cookie
2:10 PM: rusty_hackelford@pro-market[2].txt (ID = 3197)
2:10 PM: Found Spy Cookie: pro-market cookie
2:10 PM: rusty_hackelford@monstermarketplace[2].txt (ID = 3006)
2:10 PM: Found Spy Cookie: monstermarketplace cookie
2:10 PM: rusty_hackelford@findwhat[1].txt (ID = 2674)
2:10 PM: Found Spy Cookie: findwhat cookie
2:10 PM: rusty_hackelford@atdmt[2].txt (ID = 2253)
2:10 PM: Found Spy Cookie: atlas dmt cookie
2:10 PM: Starting Cookie Sweep
2:10 PM: Registry Sweep Complete, Elapsed Time:00:00:20
2:09 PM: HKLM\software\classes\appid\seekmotb.dll\ || appid (ID = 1590588)
2:09 PM: HKLM\software\classes\appid\{21b8997e-251a-412c-a805-b0a4f791b03e}\ (ID = 1575467)
2:09 PM: HKLM\software\classes\appid\seekmotb.dll\ (ID = 1575465)
2:09 PM: HKCR\appid\{21b8997e-251a-412c-a805-b0a4f791b03e}\ (ID = 1575428)
2:09 PM: HKCR\appid\seekmotb.dll\ (ID = 1575426)
2:09 PM: Found Adware: seekmo search assistant
2:09 PM: Starting Registry Sweep
2:09 PM: Memory Sweep Complete, Elapsed Time: 00:01:41
2:08 PM: Starting Memory Sweep
2:07 PM: Sweep initiated using definitions version 954
2:07 PM: Spy Sweeper 5.5.1.3356 started
2:07 PM: | Start of Session, Thursday, July 26, 2007 |

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 29 July 2007 - 12:56 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

#3 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 02 August 2007 - 02:08 PM

Thanks for helping me out. Sorry for the late reply. We're moving and things have been hectic. I managed to get rid of the Zlob.DNS, I think. Spybot hasn't found it for a few days. I've turned off Automatic Updates because I keep getting the Firewall and Antivirus disable showing up in the registry. Spyware also keeps finding cookies that they flag as threats that I continue to clean every time they're found. There was also DriverCleaner2006 that was showing up for a while. I'm paranoid at this point because I don't know what else is hidden along with these nasties.

Here's the Fixwareout log:

Username "Rusty Hackelford" - 2007-08-02 13:40:56 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdeqe.exe"

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"REGSHAVE"="\"C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE\" /AUTORUN"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"CanonMyPrinter"="\"C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe\" /logon"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"Apoint"="\"C:\\Program Files\\Apoint\\Apoint.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""
"SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WMPNSCFG"="\"C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe\""
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


And here's Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:40 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9716 bytes



Thanks!

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 03 August 2007 - 08:20 AM

Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

http://www.adobe.com/products/acrobat/readstep2.html

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log, a new HijackThis log & let me know of any remaining problems

Also, did you install winpcap & please expand on what you mean by this:

I keep getting the Firewall and Antivirus disable showing up in the registry.



#5 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 August 2007 - 07:27 PM

Alrighty, I did it all down to the Kaspersky. The Kaspersky scan keeps sticking when it gets to the file c:\i386\cdintf.dll I can't get it past this point. It says that it's found 4 viruses and 6 infected files; it's made it as far as 10,020 files scanned when it sticks.

The AntiVirus, Firewall, and Updater thing is in the registry

MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

AntiVirusDisableNotify REG_DWORD 0x00000000 (0)
AntiVirusOverride REG_DWORD 0x00000000 (0)
FirewallDisableNotify REG_DWORD 0x00000000 (0)
FirewallOverride REG_DWORD 0x00000000 (0)
UpdatesDisableNotify REG_DWORD 0x00000000 (0)

This is the Spybot log

FunWebProducts: Program directory (Directory, nothing done)
C:\Documents and Settings\Rusty Hackelford\Application Data\FunWebProducts\

FunWebProducts: Program directory (Directory, nothing done)
C:\Documents and Settings\Rusty Hackelford\Application Data\FunWebProducts\Data\


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-07-27 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-01 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-01 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-01 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-01 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-01 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-08-01 Includes\PUPSC.sbi (*)
2007-08-01 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-01 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi (*)
2007-08-01 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll


Here's another Fixware log. I removed and reloaded the most recent Acrobat Reader.

Username "Rusty Hackelford" - 08/06/2007 15:21:55 [Fixwareout edited 2007/07/05]

»»»»»Prerun check


»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"REGSHAVE"="\"C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE\" /AUTORUN"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"CanonMyPrinter"="\"C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe\" /logon"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"Apoint"="\"C:\\Program Files\\Apoint\\Apoint.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WMPNSCFG"="\"C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe\""
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 07 August 2007 - 09:29 AM

AntiVirusDisableNotify REG_DWORD 0x00000000 (0)
AntiVirusOverride REG_DWORD 0x00000000 (0)
FirewallDisableNotify REG_DWORD 0x00000000 (0)
FirewallOverride REG_DWORD 0x00000000 (0)
UpdatesDisableNotify REG_DWORD 0x00000000 (0)


A dword value of 0x00000000 means that the policy is disabled - which is what these policies should be set to, so they are noting to worry about it
  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Delete this folder:

C:\Documents and Settings\Rusty Hackelford\Application Data\FunWebProducts\

Then please post a new HijackThis log

#7 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 07 August 2007 - 11:21 AM

Ok, all of that's done.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:28 AM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9159 bytes

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 07 August 2007 - 01:41 PM

  • Note: You will need to use Internet explorer for this scan
  • Go here to run an online scan from F-Secure
  • Click on Start scanning
  • This will open a new internet explorer window
  • It will require an activex control, please install it
  • Click Accept
  • Click Full System Scan
  • It will now download the scanner, this may take a while, please be patient
  • It will then start scanning, wait for the scan to finish
  • Click Automatic cleaning (recommended)
  • Wait for it finish the cleaning process
  • Click show report
  • This will open up a window with the results of the scan, copy and paste those results as a reply to this topic
Also let me know if you installed winpcap, post a new HijackThis log & let me know of any remaining problems

#9 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 07 August 2007 - 07:50 PM

I have not installed winpcap. Also, none of the online scanners will run. They all either time out on the previously mentioned file or give me an error message automatically. I don't know what to do from here. The Kaspersky scan still tells me I have 4 viruses and 6 infected files.

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 08 August 2007 - 06:16 AM

Go to Start> Control Panel> Add or Remove Programs.

Remove the following programs, if they are present.
winpcap
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

cacls.exe c:\i386\cdintf.dll > aclreport.txt
notepad.exe aclreport.txt
del aclreport.txt


Save it to your Desktop as search.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: search.bat

Locate search.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal
Once it has finished, a notepad window will open
Copy and paste the contents of that window as a reply to this topic

#11 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 08 August 2007 - 09:03 AM

Here it is:

c:\i386\cdintf.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BRENNA\Rusty Hackelford:F
BUILTIN\Users:R




Thank you for taking the time to wrestle with this. I truly appreciate it.

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 09 August 2007 - 11:51 AM

In order to stop kaspersky from scanning that file, we'll try denying NTFS file permissions on it

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

cacls.exe c:\i386\cdintf.dll /d Everyone:F


Save it to your Desktop as deny.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: deny.bat

Locate deny.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Then try running the Kaspersky scan again

#13 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 13 August 2007 - 12:50 PM

I've tried to run it several times over the weekend. It still keeps hanging up on that file. Is it possible that the file is corrupted? I'm pulling that out of nowhere, but just thought I'd ask.

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 14 August 2007 - 04:28 AM

Is it possible that the file is corrupted?


Yes it is possible, so we're going to delete it

We're going to use a batch file to do it, since we need to reset the permissions we changed, and windows explorer sometimes has issues removing corrupted files

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

cacls.exe c:\i386\cdintf.dll /P Everyone:F
del /f c:\i386\cdintf.dll


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat

Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Then try running the kaspersky scan again

#15 fasterpssycat

fasterpssycat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 16 August 2007 - 01:19 PM

It worked insofar as it didn't get caught on that file... It keeps sticking at 55-56% through the scan. Now it's hanging up on a different file with the same i386 in it. It's still finding the 4 viruses and 6 infected files. Here's a new Hijack this, just in case.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:43 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NABMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9922 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users