Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Internet And Im...


  • This topic is locked This topic is locked
14 replies to this topic

#1 nakedyak

nakedyak

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 February 2006 - 02:41 AM

Hello, I am a new user here. I have finally decided to look to the internet to find some answers to my problems. I hope someone here knows the answer to my strange issue.

Around early January, i noticed that i had a strange process running on my computer, rlvknlg.exe . I searched online, found some info about it, and followed the steps i found to get rid of it. I ended up deleting a few things in the registry, and also that program and its files. After that i think is when my internet trouble started.

When i open IE, or firefox, it takes forever to load my home page. At least 2 or 3 minutes. Usually, it will say that the page cannot be loaded. Then if I hit the refresh button, it will load after that. This happens sometimes to every site i go to, and then other times it will work decently for a while, and go back to the "page not loading" page. It is very sporatic. This is extremely frustrating for things like online classes, because when you go to submit the answers for a test and it won't load, you hit refresh and lose all the answers. That's happened a few times now.

The other problem is with AOL instant messenger. The program is uncommonly slow. When sending normal IMs, typing sometimes becomes slow, and when i hit enter to send the message, nothing will happen for like 10 seconds. Then it will send the message. Sometimes in the middle of typing, it will freeze up for a while. Its like something is eating up CPU cycles, but nothing is. I don't know if the two problems are related, but i recall that they started happening around the same time.

I will include this logfile from Hijack this, i dont know if it will help, but here ya go. If anyone has any advice or help i would appreciate it. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 2:32:01 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Bit Lord 1.1\BitLord.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy3.cedarville.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.cedarville.edu;<local>
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aurigma Image Uploader 2.0 - http://www.appleprints.com/PhotoSite/AddPi...geUploader2.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/301e78e80a83a2ee8d02/netzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CCBDD1DC-5FCF-43E5-6BAD-DA44CB0BA16A} - http://public.searchbarcash.com/cab/010/esfzpzex.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - C:\Novell\Messenger\nmcg32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 25 February 2006 - 10:25 AM

Hello and welcome to the site.. Yes, your log helps me. :thumbsup: Let's get started.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it;
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of rlls.dll
  • Select every instance of rlls.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>
==

Post back with a fresh HijackThis log.
Hi there, stranger!

#3 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 February 2006 - 12:55 PM

Thanks for the help!

Here is the fresh log file.

Logfile of HijackThis v1.99.1
Scan saved at 12:55:40 PM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\Documents and Settings\John\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy3.cedarville.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.cedarville.edu;<local>
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aurigma Image Uploader 2.0 - http://www.appleprints.com/PhotoSite/AddPi...geUploader2.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/301e78e80a83a2ee8d02/netzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CCBDD1DC-5FCF-43E5-6BAD-DA44CB0BA16A} - http://public.searchbarcash.com/cab/010/esfzpzex.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - C:\Novell\Messenger\nmcg32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

#4 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 February 2006 - 12:58 PM

Websites seem to be working smoother, but when i try to send IMs they still take a long time. Anything else i can do?

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 25 February 2006 - 01:02 PM

Let's take care of the rest then.. :thumbsup:

==

Run a scan with HijackThis and check the following objects for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/301e78e80a83a2ee8d02/netzip/RdxIE2.cab
O16 - DPF: {CCBDD1DC-5FCF-43E5-6BAD-DA44CB0BA16A} - http://public.searchbarcash.com/cab/010/esfzpzex.cab


Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

Reboot.

==

After reboot:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :flowers:

Hi there, stranger!

#6 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 February 2006 - 03:14 PM

Here's the results:


Incident Status Location

Adware:adware/talkstocks Not disinfected C:\WINDOWS\SYSTEM32\mstbl.ocx
Adware:adware/swimsuitnetwork Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveInstall.dll
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb_gdf.dat
Adware:adware/downloadware Not disinfected C:\PROGRAM FILES\MedCh
Spyware:spyware/bridge Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\TOOLBAR
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\John\Cookies\john@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\John\Cookies\john@64.62.232[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\John\Cookies\john@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\John\Cookies\john@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\John\Cookies\john@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\John\Cookies\john@adtech[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\John\Cookies\john@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\John\Cookies\john@as-us.falkag[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\John\Cookies\john@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\John\Cookies\john@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\John\Cookies\john@bluestreak[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\John\Cookies\john@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\John\Cookies\john@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\John\Cookies\john@casalemedia[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\John\Cookies\john@cs.sexcounter[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\John\Cookies\john@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\John\Cookies\john@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\Cookies\john@go[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\John\Cookies\john@hc2.humanclick[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John\Cookies\john@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@overture[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\John\Cookies\john@paycounter[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John\Cookies\john@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Cookies\john@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John\Cookies\john@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\John\Cookies\john@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\John\Cookies\john@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\John\Cookies\john@www.burstbeacon[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\John\Cookies\john@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\John\Cookies\john@zedo[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.com.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Guest\Cookies\guest@data.coremetrics[2].txt
Spyware:Cookie/Gator Not disinfected C:\Documents and Settings\Guest\Cookies\guest@webpdp.gator[1].txt
Virus:Trj/Downloader.AN Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\Z8PFBPCE\bridge[1].exe
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\John\Cookies\john@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\John\Cookies\john@64.62.232[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\John\Cookies\john@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\John\Cookies\john@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\John\Cookies\john@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\John\Cookies\john@adtech[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\John\Cookies\john@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\John\Cookies\john@as-us.falkag[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\John\Cookies\john@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\John\Cookies\john@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\John\Cookies\john@bluestreak[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\John\Cookies\john@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\John\Cookies\john@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\John\Cookies\john@casalemedia[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\John\Cookies\john@cs.sexcounter[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\John\Cookies\john@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\John\Cookies\john@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\Cookies\john@go[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\John\Cookies\john@hc2.humanclick[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John\Cookies\john@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@overture[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\John\Cookies\john@paycounter[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John\Cookies\john@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Cookies\john@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John\Cookies\john@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\John\Cookies\john@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\John\Cookies\john@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\John\Cookies\john@www.burstbeacon[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\John\Cookies\john@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\John\Cookies\john@zedo[2].txt
Adware:Adware/Alexa-Toolbar Not disinfected C:\Documents and Settings\John\My Documents\cntdwnsetup.exe
Adware:Adware/BlazeFind Not disinfected C:\WINDOWS\bar.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\bi.inf
Adware:Adware/WurldMedia Not disinfected C:\WINDOWS\SYSTEM32\MSCStat2.exe
Adware:Adware/TalkStocks Not disinfected C:\WINDOWS\vpnpttpt.dll

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 25 February 2006 - 03:23 PM

Ok.. Let's continue. :thumbsup:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\mstbl.ocx
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveInstall.dll
    C:\WINDOWS\INF\biini.inf
    C:\GatorPatch.log
    C:\WINDOWS\msbb_gdf.dat
    C:\Documents and Settings\John\My Documents\cntdwnsetup.exe
    C:\WINDOWS\bar.exe
    C:\WINDOWS\INF\bi.inf
    C:\WINDOWS\SYSTEM32\MSCStat2.exe
    C:\WINDOWS\vpnpttpt.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

After reboot:

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following entry if present:

MedCh

After that, please navigate to and delete the following folder if present:

C:\PROGRAM FILES\MedCh\

==

Finally:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Run a scan with Panda again; post the fresh log here, and let me know how's the system running now. :flowers:
Hi there, stranger!

#8 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 February 2006 - 05:57 PM

Its running well, but obviously as the scan shows there are still a few problems. Thanks for helping me so far!

here's my latest scan:


Incident Status Location

Spyware:spyware/bridge Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\TOOLBAR
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.com.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.2o7.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[www.burstbeacon.com/]
Adware:Adware/BlazeFind Not disinfected C:\!KillBox\bar.exe
Spyware:Spyware/BetterInet Not disinfected C:\!KillBox\bi.inf
Adware:Adware/Alexa-Toolbar Not disinfected C:\!KillBox\cntdwnsetup.exe
Adware:Adware/WurldMedia Not disinfected C:\!KillBox\MSCStat2.exe
Adware:Adware/TalkStocks Not disinfected C:\!KillBox\vpnpttpt.dll
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Guest\Cookies\guest@data.coremetrics[2].txt
Spyware:Cookie/Gator Not disinfected C:\Documents and Settings\Guest\Cookies\guest@webpdp.gator[1].txt
Virus:Trj/Downloader.AN Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\Z8PFBPCE\bridge[1].exe
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\r1tkpaeo.default\cookies.txt[]

Edited by nakedyak, 26 February 2006 - 12:23 AM.


#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 26 February 2006 - 05:37 AM

Next...

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply (along with a fresh HijackThis log). :thumbsup:

Hi there, stranger!

#10 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 26 February 2006 - 06:36 PM

Here is the spysweeper log file:

********
1:26 PM: | Start of Session, Sunday, March 26, 2006 |
1:26 PM: Spy Sweeper started
1:26 PM: Sweep initiated using definitions version 621
1:26 PM: Starting Memory Sweep
1:30 PM: Memory Sweep Complete, Elapsed Time: 00:04:16
1:30 PM: Starting Registry Sweep
1:30 PM: Found Adware: comet cursor
1:30 PM: HKCR\interface\{930a2b79-855e-4a18-80bb-4c0595b40798}\ (8 subtraces) (ID = 106471)
1:30 PM: HKCR\interface\{e61a0304-c605-441f-bd57-2833b65a69f1}\ (8 subtraces) (ID = 106505)
1:30 PM: HKLM\software\classes\interface\{930a2b79-855e-4a18-80bb-4c0595b40798}\ (8 subtraces) (ID = 106652)
1:30 PM: HKLM\software\classes\interface\{e61a0304-c605-441f-bd57-2833b65a69f1}\ (8 subtraces) (ID = 106682)
1:30 PM: HKLM\software\classes\interface\{e61a0304-c605-441f-bd57-2833b65a69f1}\proxystubclsid32\ (1 subtraces) (ID = 106683)
1:30 PM: HKLM\software\classes\interface\{e61a0304-c605-441f-bd57-2833b65a69f1}\typelib\ (2 subtraces) (ID = 106684)
1:30 PM: HKLM\software\classes\typelib\{b87dd6fe-5819-4973-abca-487342b534fe}\ (9 subtraces) (ID = 106711)
1:30 PM: HKCR\typelib\{b87dd6fe-5819-4973-abca-487342b534fe}\ (9 subtraces) (ID = 106761)
1:30 PM: Found Adware: delfin
1:30 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\delfin media viewer\ (2 subtraces) (ID = 124859)
1:30 PM: Found Adware: freescratchandwin
1:30 PM: HKCR\clsid\{acc4dbff-71af-4227-a86d-8777429f56bd}\ (3 subtraces) (ID = 126647)
1:30 PM: HKCR\interface\{a35fba3e-fef9-41ca-9e30-0644d753d7a1}\ (8 subtraces) (ID = 126652)
1:30 PM: HKCR\interface\{f0eda326-b6e5-4c8e-a034-5a69d597b2f2}\ (8 subtraces) (ID = 126653)
1:30 PM: HKLM\software\classes\interface\{a35fba3e-fef9-41ca-9e30-0644d753d7a1}\ (8 subtraces) (ID = 126660)
1:30 PM: HKLM\software\classes\interface\{f0eda326-b6e5-4c8e-a034-5a69d597b2f2}\ (8 subtraces) (ID = 126661)
1:30 PM: Found Adware: 180search assistant/zango
1:30 PM: HKLM\software\180solutions\ (ID = 135618)
1:30 PM: Found Adware: websearch toolbar
1:30 PM: HKLM\software\microsoft\internet explorer\explorer bars\{850cd0b8-da33-4558-a8c8-95d7908e37a7}\ (1 subtraces) (ID = 146455)
1:30 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
1:30 PM: Found Adware: win favorites
1:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\win favorites\ (2 subtraces) (ID = 146981)
1:30 PM: HKLM\software\toolbar\ (1 subtraces) (ID = 646240)
1:30 PM: Found Adware: ezula ilookup
1:30 PM: HKCR\ezulaagent.webofferhbarobj\ (5 subtraces) (ID = 965767)
1:30 PM: HKCR\ezulaagent.webofferhbarobj.1\ (3 subtraces) (ID = 965773)
1:30 PM: HKCR\webofferbar.webofferbarobj\ (5 subtraces) (ID = 965777)
1:30 PM: HKCR\webofferbar.webofferbarobj.1\ (3 subtraces) (ID = 965783)
1:30 PM: HKCR\clsid\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (13 subtraces) (ID = 965787)
1:30 PM: HKCR\clsid\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (13 subtraces) (ID = 965801)
1:30 PM: HKLM\software\classes\ezulaagent.webofferhbarobj\ (5 subtraces) (ID = 965836)
1:30 PM: HKLM\software\classes\ezulaagent.webofferhbarobj.1\ (3 subtraces) (ID = 965842)
1:30 PM: HKLM\software\classes\webofferbar.webofferbarobj\ (5 subtraces) (ID = 965846)
1:30 PM: HKLM\software\classes\webofferbar.webofferbarobj.1\ (3 subtraces) (ID = 965852)
1:30 PM: HKLM\software\classes\clsid\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (13 subtraces) (ID = 965856)
1:30 PM: HKLM\software\classes\clsid\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (13 subtraces) (ID = 965870)
1:30 PM: Found Adware: marketscore
1:30 PM: HKCR\clsid\{cd1b7795-13bc-4a12-bf42-a52748971aa2}\ (20 subtraces) (ID = 1144173)
1:30 PM: HKCR\typelib\{fe844296-3c38-4b78-a272-87557622c953}\ (9 subtraces) (ID = 1144194)
1:30 PM: HKLM\software\classes\clsid\{cd1b7795-13bc-4a12-bf42-a52748971aa2}\ (20 subtraces) (ID = 1144222)
1:30 PM: HKLM\software\classes\typelib\{fe844296-3c38-4b78-a272-87557622c953}\ (9 subtraces) (ID = 1144226)
1:30 PM: HKCR\iceclientatl.surveyclientctl\ (5 subtraces) (ID = 1149340)
1:30 PM: HKCR\iceclientatl.surveyclientctl.1\ (3 subtraces) (ID = 1149346)
1:30 PM: HKLM\software\classes\iceclientatl.surveyclientctl\ (5 subtraces) (ID = 1149354)
1:30 PM: HKLM\software\classes\iceclientatl.surveyclientctl.1\ (3 subtraces) (ID = 1149360)
1:30 PM: Found System Monitor: windows keylogger
1:30 PM: HKCR\.pca\ (2 subtraces) (ID = 1179879)
1:30 PM: HKLM\software\classes\.pca\ (2 subtraces) (ID = 1179881)
1:30 PM: Found Adware: great net downloadware
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\downloadware\ (9 subtraces) (ID = 125353)
1:30 PM: Found Adware: ebates money maker
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\microsoft\internet explorer\extensions\cmdmapping\ || {7f241c00-dab6-11d5-aaa8-0001028df1bc} (ID = 125586)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\microsoft\internet explorer\extensions\{7f241c00-dab6-11d5-aaa8-0001028df1bc}\ (6 subtraces) (ID = 125588)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 125590)
1:30 PM: Found Adware: internetoptimizer
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\avenue media\ (5 subtraces) (ID = 128887)
1:30 PM: Found Adware: great net mediacharger
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\mediacharger\ (3 subtraces) (ID = 134901)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\msbb\ (12 subtraces) (ID = 135781)
1:30 PM: Found Adware: networkessentials
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\hopper\ (10 subtraces) (ID = 136157)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\updater\ (1 subtraces) (ID = 136178)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\btlink\ (4 subtraces) (ID = 146370)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\microsoft\internet explorer\menuext\power search\ (2 subtraces) (ID = 146458)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\msietslink\ (5 subtraces) (ID = 146512)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\wintools\ (13 subtraces) (ID = 146514)
1:30 PM: Found Adware: websearch.com hijacker
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
1:30 PM: Found Adware: xupiter toolbar
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\xupiter\ (ID = 147735)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\wintools\ (13 subtraces) (ID = 646241)
1:30 PM: HKU\WRSS_Profile_S-1-5-21-2771580065-3134616843-1333191943-501\software\downloadware\ (9 subtraces) (ID = 775210)
1:31 PM: HKU\S-1-5-21-2771580065-3134616843-1333191943-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
1:31 PM: Found Adware: cws-aboutblank
1:31 PM: HKU\S-1-5-21-2771580065-3134616843-1333191943-1006\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
1:31 PM: HKU\S-1-5-21-2771580065-3134616843-1333191943-1006\software\delfin\ (2 subtraces) (ID = 124848)
1:31 PM: HKU\S-1-5-21-2771580065-3134616843-1333191943-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {8a05273a-2ea5-42de-aa75-59ea7d9d50d7} (ID = 146463)
1:31 PM: HKU\S-1-5-21-2771580065-3134616843-1333191943-1006\software\winfavorites\ (1 subtraces) (ID = 146979)
1:31 PM: HKU\S-1-5-21-2771580065-3134616843-1333191943-1006\software\microsoft\internet explorer\explorer bars\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (1 subtraces) (ID = 965834)
1:31 PM: Registry Sweep Complete, Elapsed Time:00:00:37
1:31 PM: Starting Cookie Sweep
1:31 PM: Found Spy Cookie: coremetrics cookie
1:31 PM: guest@data.coremetrics[2].txt (ID = 2472)
1:31 PM: Found Spy Cookie: gator cookie
1:31 PM: guest@webpdp.gator[1].txt (ID = 2723)
1:31 PM: Found Spy Cookie: 2o7.net cookie
1:31 PM: john@2o7[1].txt (ID = 1957)
1:31 PM: Found Spy Cookie: atwola cookie
1:31 PM: john@ar.atwola[2].txt (ID = 2256)
1:31 PM: john@atwola[1].txt (ID = 2255)
1:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:31 PM: Starting File Sweep
1:31 PM: Found Adware: directrevenue-abetterinternet
1:31 PM: bi.inf (ID = 83179)
1:32 PM: Found Adware: wild media - statblaster
1:32 PM: msview.ini (ID = 77091)
1:35 PM: Found Adware: dialerplatform
1:35 PM: sportsinteraction.ico (ID = 58328)
1:42 PM: Found Adware: ipinsight
1:42 PM: ipinsigt.inf (ID = 64282)
1:44 PM: a0109699.inf (ID = 83179)
1:48 PM: Found Adware: commonname
1:48 PM: cnbabeie.exe (ID = 53748)
1:58 PM: Found Adware: tgdc ie plugin
1:58 PM: tgfile.txt (ID = 78356)
2:00 PM: a0106350.ini (ID = 77091)
2:00 PM: Found Adware: blazefind
2:00 PM: bar.exe (ID = 51391)
2:01 PM: a0106349.exe (ID = 83177)
2:10 PM: a0109698.exe (ID = 51391)
2:10 PM: a0105323.exe (ID = 235981)
2:10 PM: mfex-1.dat (ID = 235980)
2:12 PM: a0105288.exe (ID = 159065)
2:12 PM: rlls.dll (ID = 235980)
2:15 PM: cemetrix.dll (ID = 243051)
2:16 PM: default.inf (ID = 53773)
2:16 PM: Found Adware: ezsearchbar
2:16 PM: sentry.inf (ID = 60358)
2:16 PM: tgsrch.txt (ID = 78357)
2:16 PM: Found Adware: browsertoolbar
2:16 PM: browsertoolbarloader.inf (ID = 51977)
2:17 PM: msvini.inf (ID = 77093)
2:17 PM: activeinstall.inf (ID = 69337)
2:18 PM: Warning: Invalid file - not a PKZip file
2:20 PM: Warning: Invalid Stream
2:20 PM: Warning: Invalid Stream
2:21 PM: File Sweep Complete, Elapsed Time: 00:50:15
2:21 PM: Full Sweep has completed. Elapsed time 00:55:13
2:21 PM: Traces Found: 447
6:33 PM: Removal process initiated
6:33 PM: Quarantining All Traces: 180search assistant/zango
6:33 PM: Quarantining All Traces: cws-aboutblank
6:33 PM: Quarantining All Traces: directrevenue-abetterinternet
6:33 PM: Quarantining All Traces: websearch toolbar
6:33 PM: Quarantining All Traces: windows keylogger
6:33 PM: Quarantining All Traces: blazefind
6:33 PM: Quarantining All Traces: comet cursor
6:33 PM: Quarantining All Traces: commonname
6:33 PM: Quarantining All Traces: delfin
6:33 PM: Quarantining All Traces: freescratchandwin
6:33 PM: Quarantining All Traces: internetoptimizer
6:33 PM: Quarantining All Traces: marketscore
6:34 PM: Quarantining All Traces: tgdc ie plugin
6:34 PM: Quarantining All Traces: xupiter toolbar
6:34 PM: Quarantining All Traces: browsertoolbar
6:34 PM: Quarantining All Traces: dialerplatform
6:34 PM: Quarantining All Traces: ebates money maker
6:34 PM: Quarantining All Traces: ezsearchbar
6:34 PM: Quarantining All Traces: ezula ilookup
6:34 PM: Quarantining All Traces: great net downloadware
6:34 PM: Quarantining All Traces: great net mediacharger
6:34 PM: Quarantining All Traces: ipinsight
6:34 PM: Quarantining All Traces: networkessentials
6:34 PM: Quarantining All Traces: websearch.com hijacker
6:34 PM: Quarantining All Traces: wild media - statblaster
6:34 PM: Quarantining All Traces: win favorites
6:34 PM: Quarantining All Traces: 2o7.net cookie
6:34 PM: Quarantining All Traces: atwola cookie
6:34 PM: Quarantining All Traces: coremetrics cookie
6:34 PM: Quarantining All Traces: gator cookie
6:34 PM: Removal process completed. Elapsed time 00:01:10
********
1:24 PM: | Start of Session, Sunday, March 26, 2006 |
1:24 PM: Spy Sweeper started
1:24 PM: Your spyware definitions have been updated.
1:26 PM: | End of Session, Sunday, March 26, 2006 |


Here is the Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:22 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\John\Desktop\help programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy3.cedarville.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.cedarville.edu;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aurigma Image Uploader 2.0 - http://www.appleprints.com/PhotoSite/AddPi...geUploader2.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 27 February 2006 - 12:01 AM

Any problems at the moment? :thumbsup:
Hi there, stranger!

#12 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 27 February 2006 - 12:09 PM

It seems to running fine

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 27 February 2006 - 01:23 PM

You're welcome :thumbsup:

==

Read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#14 nakedyak

nakedyak
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 28 February 2006 - 12:24 PM

Thanks for the help. I might make a new thread for my girlfriend's laptop just to have you look at her logs and see if there is anything wrong. Also for another friend's computer

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:19 AM

Posted 28 February 2006 - 12:37 PM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users