Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Please Help Diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 rodney528

rodney528

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 03 March 2006 - 07:52 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:45:29 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\program files\mailskinner\mailskinner.exe
C:\Program Files\Common Files\AOL\1129990942\ee\AOLHostManager.exe
C:\Program Files\Yahoo!\Pager\ymsgr_tray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\AOL\1129990942\ee\AOLServiceHost.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1129990942\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tykestot\Local Settings\Temporary Internet Files\Content.IE5\URQJUP6Z\hijackthis[1]\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\system32\requester.10.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129990942\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Pager\ypager.exe" -quiet
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Startup: HP Updates.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binaries/IA/...svc32_EN_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp...02/cpbrkpie.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/...svc32_EN_XP.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 04 March 2006 - 08:49 AM

Hello and welcome to the forum. If you still need help, this looks like your trojan, but you have other junk also: http://secunia.com/virus_information/13933/win32.muquest.a/

Let's do this and in the posted order.

1) You are running HJT from a Temporary Internet Files and that is not safe as we will have no backups if needed. I prefer C:\HJT\HijackThis.exe. If you need more instructions, use these: http://russelltexas.com/malware/createhjtfolder.htm
Do this before you proceed.

2) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Start > Control Panel > Add Remove programs and uninstall mailskinner and anything you see you know does not belong there.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(the R1/RO lines are optional but that is not help your browser to run faster, I left the MSN Start Page)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\system32\requester.10.exe"
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binaries/IA/...svc32_EN_XP.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp...02/cpbrkpie.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/...svc32_EN_XP.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\program files\mailskinner\ >>> folder

C:\WINDOWS\system32\requester.10.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

restart the computer and post the ewido scan results, a new HJT log and any comments you think will help.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 rodney528

rodney528
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 04 March 2006 - 05:33 PM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:11:12 PM, 3/4/2006
+ Report-Checksum: 271A5163

+ Scan result:

[332] VM_10001000 -> Adware.NaviPromo : Ignored
[356] VM_10001000 -> Adware.NaviPromo : Ignored
C:\WINDOWS\SYSTEM32\winlocatorhelper.dll -> Adware.WinLocator : Ignored
C:\WINDOWS\SYSTEM32\EGDHTML_1030.dll -> Downloader.Wintrim.y : Ignored
C:\WINDOWS\SYSTEM32\winlocator.dll -> Adware.WinLocator : Ignored
C:\WINDOWS\SYSTEM32\dhtmlexe.exe -> Trojan.Dialer.eg : Ignored
C:\WINDOWS\SYSTEM32\ia.dll -> Dialer.IA : Ignored
C:\WINDOWS\SYSTEM32\syswbsvc32.dll -> Dialer.InstantAccess.e : Ignored
HKLM\SOFTWARE\Classes\AdultBar.AdultBar -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultBar.AdultBar\CLSID -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultBar.AdultBar\CurVer -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultBar.AdultBar.1 -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch\CLSID -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch\CurVer -> Adware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch.1 -> Adware.Adultlinks : Cleaned with backup
[400] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[412] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[560] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[604] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[660] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[744] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[812] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[972] VM_01731000 -> Adware.NaviPromo : Error during cleaning
[1048] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1088] VM_01AC1000 -> Adware.NaviPromo : Error during cleaning
[1156] VM_00C31000 -> Adware.NaviPromo : Error during cleaning
[1168] VM_00F01000 -> Adware.NaviPromo : Error during cleaning
[1192] VM_01221000 -> Adware.NaviPromo : Error during cleaning
[1256] VM_012F1000 -> Adware.NaviPromo : Error during cleaning
[1268] VM_00D91000 -> Adware.NaviPromo : Error during cleaning
[1364] VM_02E01000 -> Adware.NaviPromo : Error during cleaning
[1384] VM_00D81000 -> Adware.NaviPromo : Error during cleaning
[1632] VM_01AB1000 -> Adware.NaviPromo : Error during cleaning
[1664] VM_00FC1000 -> Adware.NaviPromo : Error during cleaning
[1892] VM_011D1000 -> Adware.NaviPromo : Error during cleaning
[2248] VM_00D01000 -> Adware.NaviPromo : Error during cleaning
[1184] VM_03421000 -> Adware.NaviPromo : Error during cleaning
C:\WINDOWS\SYSTEM32\sysinetsvc32.dll -> Dialer.InstantAccess.e : Cleaned with backup
C:\WINDOWS\TEMP\RemB033.exe -> Downloader.Swizzor.n : Cleaned with backup
C:\WINDOWS\TEMP\Rem2272.exe -> Downloader.Swizzor.n : Cleaned with backup
C:\WINDOWS\TEMP\Rem51F5.exe -> Downloader.Swizzor.n : Cleaned with backup
C:\WINDOWS\TEMP\Rem7200.exe -> Downloader.Swizzor.n : Cleaned with backup
C:\WINDOWS\TEMP\Rem9184.exe -> Downloader.Swizzor.n : Cleaned with backup
C:\WINDOWS\TEMP\Rem1181.exe -> Downloader.Swizzor.n : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup
C:\WINDOWS\updatewinlocator.exe -> Adware.WinLocator : Cleaned with backup
C:\Program Files\Livestream\Livestream.exe -> Trojan.Dialer.eg : Cleaned with backup
C:\Program Files\Encompass\EncDial.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Documents and Settings\tykestot\Local Settings\Temp\113261.exe -> Dialer.Salc : Cleaned with backup
C:\Documents and Settings\tykestot\Local Settings\Temp\Instant-Access.exe -> Trojan.Dialer.eg : Cleaned with backup
C:\Documents and Settings\tykestot\Local Settings\Temporary Internet Files\Content.IE5\2ZJ5BK4P\syswbsvc32_EN_XP[1].cab/syswbsvc32.dll -> Dialer.InstantAccess.e : Error during cleaning
C:\Documents and Settings\tykestot\Local Settings\Temporary Internet Files\Content.IE5\W9Q74LA7\capyb.trulynudemodels[1] -> Trojan.KarmaHotel.e : Cleaned with backup
C:\Documents and Settings\tykestot\Desktop\hijackthis\backup-20040329-170357-617.dll -> Trojan.P2E.h : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@programs.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@programs.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@www.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@free.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@free.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@programs.wegcash[3].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@srch.lop[2].txt -> TrackingCookie.Lop : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@oxcash[2].txt -> TrackingCookie.Oxcash : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoghdpcfpqmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkikoc5idowydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyohazogqqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliggdzologydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@starware[3].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@newyorkcasino[1].txt -> TrackingCookie.Newyorkcasino : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@banner.newyorkcasino[2].txt -> TrackingCookie.Newyorkcasino : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@northwestairlines.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@sonymediasoftware.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@banner.newyorkcasino[1].txt -> TrackingCookie.Newyorkcasino : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@goldenpalace[2].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@newyorkcasino[2].txt -> TrackingCookie.Newyorkcasino : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@goldenpalace[3].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tykestot\Cookies\tykestot@stats1.reliablestats[3].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP288\A0027684.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP289\A0027701.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP289\A0027715.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP275\A0027236.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP276\A0027254.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP276\A0027264.exe -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP276\A0027265.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP282\A0027420.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP283\A0027438.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP284\A0027458.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP284\A0027472.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP285\A0027484.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP285\A0027492.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP290\A0027734.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP290\A0027746.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP291\A0027765.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP292\A0027781.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP293\A0027798.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP294\A0027820.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP296\A0027907.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP296\A0027924.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP297\A0027940.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP298\A0027958.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP299\A0027984.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP299\A0028000.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP299\A0028012.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP302\A0028065.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP303\A0028086.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP303\A0028101.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP304\A0028286.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP304\A0028298.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP273\A0027173.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP273\A0027189.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP278\A0027285.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP278\A0027302.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP278\A0027315.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP279\A0027333.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP280\A0027364.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP281\A0027387.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP281\A0027401.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP286\A0027511.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP286\A0027527.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP286\A0027541.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP287\A0027640.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP287\A0027654.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP287\A0027668.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP300\A0028030.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP301\A0028047.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{1FF9F1AE-BB67-4F26-9804-4D2F3622D3C1}\RP274\A0027214.dll -> Adware.NaviPromo : Cleaned with backup


::Report End
Logfile of HijackThis v1.99.1
Scan saved at 5:31:43 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\qdsbfp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Yahoo!\Pager\ymsgr_tray.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [qdsbfp] c:\windows\system32\qdsbfp.exe qdsbfp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Pager\ypager.exe" -quiet
O4 - Startup: HP Updates.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 04 March 2006 - 06:25 PM

Where did you get the mailskinner program? I hope you did not install it on purpose:

MailSkinner is suspected of installing EGDACCESS, and Msclock32.dll is part of EGDACCESS.

If is has installed this junk we can't see it and it is going to be hard to get rid of. We also have a trojan showing in the log that was not there before. We may have our work cut out for with this one. I need to suggest you stay offline unless absolutely necessary until we clean this up. You can see the problem issues also in the ewido scan, the stuff it could not remove. I want to see what will happen in safe mode, also another expert has told me that updated Ad-aware may remove the Adware.NaviPromo. I would like you to try this:

1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
DO NOT RUN THEM YET.

2) Use these instructions to start the computer in safe mode: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

3) Now run Spybot first, then Ad-aware and remove anything it locates.

4) Now run ewido and remove everything it locates unless you know it is not bad. I must see that scan report.

5) Still in safe mode, Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [qdsbfp] c:\windows\system32\qdsbfp.exe qdsbfp

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Navigate to this file and delete it: C:\windows\system32\qdsbfp.exe >>> file

empty the recycle bin and restart the computer. Post the ewido scan results and a new HJT log, and any comments you have.

I need to say your system restore files are loaded with corruption, please do not use system restore for any reason until we clean it later. All of the junk will get back on your computer.

Thanks

Edited by pskelley, 04 March 2006 - 06:27 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 17 March 2006 - 09:53 AM

No response since Mar 4 2006, 06:25 PM this topic is closed. :thumbsup:

Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users