Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Highjackthis Log


  • Please log in to reply
15 replies to this topic

#1 corllja

corllja

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 10 November 2006 - 03:34 PM

here's the log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:21:19 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdirs.com/?aff=1020
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdirs.com/?aff=1020
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/?aff=1020
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O1 - Hosts: ing.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: ns.com
O1 - Hosts: ns.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ions.com
O1 - Hosts: ions.com
O1 - Hosts: tions.com
O1 - Hosts: tions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: lutions.com
O1 - Hosts: lutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: solutions.com
O1 - Hosts: solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: earchweb2.com
O1 - Hosts: earchweb2.com
O1 - Hosts: 127
O1 - Hosts: w.zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: 127.0.0.
O1 - Hosts: om
O1 - Hosts: 12
O1 - Hosts: om
O1 - Hosts: 2.com
O1 - Hosts: web2.com
O1 - Hosts: rchweb2.com
O1 - Hosts: 127.0.0
O1 - Hosts: earchweb2.com
O1 - Hosts: 127.0yahoo.3721.com
O1 - Hosts: 127.0
O1 - Hosts: 127.0.0
O1 - Hosts: 127.0.0
O1 - Hosts: 1.xml.411web.com
O1 - Hosts: 1
O1 - Hosts: 127.
O1 - Hosts: 127.
O1 - Hosts: om
O1 - Hosts: 2.com
O1 - Hosts: web2.com
O1 - Hosts: rchweb2.com
O1 - Hosts: 127.
O1 - Hosts: earchweb2.com
O1 - Hosts: 127.0.0.ailcash.com
O1 - Hosts: 127.0.0.
O1 - Hosts: w.searchweb2.com
O1 - Hosts: 1
O1 - Hosts: 127.0.0.feroptimizer.com
O1 - Hosts: 127.0.0.
O1 - Hosts: 127.0offeroptimizer.com
O1 - Hosts: 127.0
O1 - Hosts: m
O1 - Hosts: 127.0.offeroptimizer.com
O1 - Hosts: 127.0.
O1 - Hosts: m
O1 - Hosts: 127.0..offeroptimizer.com
O1 - Hosts: 127.0.
O1 - Hosts: com
O1 - Hosts: 1
O1 - Hosts: .com
O1 - Hosts: m
O1 - Hosts: 2.com
O1 - Hosts: com
O1 - Hosts: eb2.com
O1 - Hosts: .com
O1 - Hosts: chweb2.com
O1 - Hosts: 127.0.www1.iwon.com
O1 - Hosts: 127.0.
O1 - Hosts: ar.com
O1 - Hosts: archweb2.com
O1 - Hosts: 127.0.0olbar.com
O1 - Hosts: 127.0.0
O1 - Hosts: lbar.com
O1 - Hosts: 127.0.0.com
O1 - Hosts: 127.0.0.
O1 - Hosts: oolbar.com
O1 - Hosts: w.searchweb2.com
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.searchweb2.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: m
O1 - Hosts: nitedvending.net
O1 - Hosts: m
O1 - Hosts: -tech.com
O1 - Hosts: om
O1 - Hosts: com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C12FF2E5-B17D-260A-984F-CCEE57891CFA} - C:\WINDOWS\system32\hbunzoxl.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\Run: [Copyright ?? 2003 Reflex Publishing, Inc. All rights reserved. tampa.com is a trademark of Reflex Publishing, Inc.] c:\WINDOWS\System32\Copyright ?? 2003 Reflex Publishing, Inc. All rights reserved. tampa.com is a trademark of Reflex Publishing, Inc.<br>
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [*vbdoc] C:\WINDOWS\Speech\vbdoc.exe
O4 - HKLM\..\Run: [*ftpcab] C:\WINDOWS\security\Database\ftpcab.exe
O4 - HKLM\..\Run: [*catmsvc] C:\WINDOWS\security\catmsvc.exe
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=computing laptops&chnl=1&t=r&pb=1090">computing laptops</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=computing laptops&chnl=1&t=r&pb=1090">computing laptops</a></font></center>
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<a href="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.c] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=o] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ margin:0] c:\WINDOWS\System32\ margin:0px;
O4 - HKLM\..\Run: [ padding:0] c:\WINDOWS\System32\ padding:0px;
O4 - HKLM\..\Run: [ text-align: cent] c:\WINDOWS\System32\ text-align: center;
O4 - HKLM\..\Run: [ font-family: arial, helvetica, sans ser] c:\WINDOWS\System32\ font-family: arial, helvetica, sans serif;
O4 - HKLM\..\Run: [ font-size: 12] c:\WINDOWS\System32\ font-size: 12px;
O4 - HKLM\..\Run: [ color: #0000] c:\WINDOWS\System32\ color: #000000;
O4 - HKLM\..\Run: [ font-weight: norm] c:\WINDOWS\System32\ font-weight: normal;
O4 - HKLM\..\Run: [a:link { color: #0000CC; text-decoration: underlin] c:\WINDOWS\System32\a:link { color: #0000CC; text-decoration: underline; }
O4 - HKLM\..\Run: [a:visited { color: #0000CC; text-decoration: underlin] c:\WINDOWS\System32\a:visited { color: #0000CC; text-decoration: underline; }
O4 - HKLM\..\Run: [#search] c:\WINDOWS\System32\#searchbox
O4 - HKLM\..\Run: [ width:184] c:\WINDOWS\System32\ width:184px;
O4 - HKLM\..\Run: [ height:4] c:\WINDOWS\System32\ height:45px;
O4 - HKLM\..\Run: [ padding-left:5] c:\WINDOWS\System32\ padding-left:5px;
O4 - HKLM\..\Run: [#relatedsear] c:\WINDOWS\System32\#relatedsearches
O4 - HKLM\..\Run: [ padding-top:1] c:\WINDOWS\System32\ padding-top:12px;
O4 - HKLM\..\Run: [ padding-left:] c:\WINDOWS\System32\ padding-left:6px;
O4 - HKLM\..\Run: [ padding-bottom:1] c:\WINDOWS\System32\ padding-bottom:12px;
O4 - HKLM\..\Run: [ background-color:#e5e] c:\WINDOWS\System32\ background-color:#e5e9f2;
O4 - HKLM\..\Run: [ border-left: #000000 1px sol] c:\WINDOWS\System32\ border-left: #000000 1px solid;
O4 - HKLM\..\Run: [ border-right: #000000 1px sol] c:\WINDOWS\System32\ border-right: #000000 1px solid;
O4 - HKLM\..\Run: [ border-bottom: #000000 1px so] c:\WINDOWS\System32\ border-bottom: #000000 1px solid;
O4 - HKLM\..\Run: [.related { color: #000077; font-weight: bol] c:\WINDOWS\System32\.related { color: #000077; font-weight: bold; }
O4 - HKLM\..\Run: [ padding-top:] c:\WINDOWS\System32\ padding-top:4px;
O4 - HKLM\..\Run: [#container { background-color:#FFFFFF; margin: 10px auto; padding: 10px; width:760px; text-align: le] c:\WINDOWS\System32\#container { background-color:#FFFFFF; margin: 10px auto; padding: 10px; width:760px; text-align: left;}
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ p
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ {
O4 - HKLM\..\Run: [ font-size: 1] c:\WINDOWS\System32\ font-size: 12px;
O4 - HKLM\..\Run: [ font-family: arial, helvetica, sans se] c:\WINDOWS\System32\ font-family: arial, helvetica, sans serif;
O4 - HKLM\..\Run: [ color: #000] c:\WINDOWS\System32\ color: #000000;
O4 - HKLM\..\Run: [ font-weight: nor] c:\WINDOWS\System32\ font-weight: normal;
O4 - HKLM\..\Run: [ .dom] c:\WINDOWS\System32\ .domain
O4 - HKLM\..\Run: [ font-size: 2] c:\WINDOWS\System32\ font-size: 22px;
O4 - HKLM\..\Run: [ font-weight: b] c:\WINDOWS\System32\ font-weight: bold;
O4 - HKLM\..\Run: [ .cour] c:\WINDOWS\System32\ .courtesy
O4 - HKLM\..\Run: [ font-family: arial,helvetica,sanse] c:\WINDOWS\System32\ font-family: arial,helvetica,sanserif;
O4 - HKLM\..\Run: [ line-height: 1] c:\WINDOWS\System32\ line-height: 14px;
O4 - HKLM\..\Run: [ font-weight:nor] c:\WINDOWS\System32\ font-weight:normal;
O4 - HKLM\..\Run: [ .se] c:\WINDOWS\System32\ .search
O4 - HKLM\..\Run: [ font-family: arial,helvet] c:\WINDOWS\System32\ font-family: arial,helvetica;
O4 - HKLM\..\Run: [ .domp] c:\WINDOWS\System32\ .domprice
O4 - HKLM\..\Run: [ line-height:1] c:\WINDOWS\System32\ line-height:18px;
O4 - HKLM\..\Run: [ a.tlds_bgDk:] c:\WINDOWS\System32\ a.tlds_bgDk:link
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <ul>
O4 - HKLM\..\Run: [ text-decoration:underl] c:\WINDOWS\System32\ text-decoration:underline;
O4 - HKLM\..\Run: [ .copyr] c:\WINDOWS\System32\ .copyright
O4 - HKLM\..\Run: [ .rel] c:\WINDOWS\System32\ .related
O4 - HKLM\..\Run: [ .relse] c:\WINDOWS\System32\ .relsearch
O4 - HKLM\..\Run: [ color: #0B0] c:\WINDOWS\System32\ color: #0B0085;
O4 - HKLM\..\Run: [ text-decoration: underl] c:\WINDOWS\System32\ text-decoration: underline;
O4 - HKLM\..\Run: [ .checkp] c:\WINDOWS\System32\ .checkprice
O4 - HKLM\..\Run: [ .li] c:\WINDOWS\System32\ .linkhd
O4 - HKLM\..\Run: [ .sponsor] c:\WINDOWS\System32\ .sponsorinfo
O4 - HKLM\..\Run: [ .sponso] c:\WINDOWS\System32\ .sponsorurl
O4 - HKLM\..\Run: [ color: #006] c:\WINDOWS\System32\ color: #006600;
O4 - HKLM\..\Run: [ text-decoration: n] c:\WINDOWS\System32\ text-decoration: none;
O4 - HKLM\..\Run: [ .expi] c:\WINDOWS\System32\ .expired
O4 - HKLM\..\Run: [ a:] c:\WINDOWS\System32\ a:link
O4 - HKLM\..\Run: [ a:vis] c:\WINDOWS\System32\ a:visited
O4 - HKLM\..\Run: [ a:h] c:\WINDOWS\System32\ a:hover
O4 - HKLM\..\Run: [ cursor: h] c:\WINDOWS\System32\ cursor: hand;
O4 - HKLM\..\Run: [ a:ac] c:\WINDOWS\System32\ a:active
O4 - HKLM\..\Run: [<title> Welcome to beneditutti.com</ti] c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>
O4 - HKLM\..\Run: [<meta NAME="description" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="description" CONTENT="beneditutti.com">
O4 - HKLM\..\Run: [<meta NAME="keywords" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="keywords" CONTENT="beneditutti.com">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Expires" CONTENT="] c:\WINDOWS\System32\<META HTTP-EQUIV="Expires" CONTENT="-1">
O4 - HKLM\..\Run: [<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099] c:\WINDOWS\System32\<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">
O4 - HKLM\..\Run: [<a href="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">Click here to enter<] c:\WINDOWS\System32\<a href="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- trafficclub.com] c:\WINDOWS\System32\<!-- trafficclub.com -->
O4 - HKLM\..\Run: [<!-- exec: 0.0468451976776] c:\WINDOWS\System32\<!-- exec: 0.0468451976776 -->
O4 - HKLM\..\Run: [<!-- domain: beneditutti.com] c:\WINDOWS\System32\<!-- domain: beneditutti.com -->
O4 - HKLM\..\Run: [<!-- ip: 67.186.21.78] c:\WINDOWS\System32\<!-- ip: 67.186.21.78 -->
O4 - HKLM\..\Run: [<!-- fingerprint: b466f654419feaf72f7396bb187ec864] c:\WINDOWS\System32\<!-- fingerprint: b466f654419feaf72f7396bb187ec864 -->
O4 - HKLM\..\Run: [<!-- country: US] c:\WINDOWS\System32\<!-- country: US -->
O4 - HKLM\..\Run: [<!-- service: 12] c:\WINDOWS\System32\<!-- service: 12 -->
O4 - HKLM\..\Run: [<!-- rand: 100/100] c:\WINDOWS\System32\<!-- rand: 100/100 -->
O4 - HKLM\..\Run: [<!-- count: 1/0] c:\WINDOWS\System32\<!-- count: 1/0 -->
O4 - HKLM\..\Run: [<!-- ] c:\WINDOWS\System32\<!-- -->
O4 - HKLM\..\Run: [<!-- exec: 0.044420003891] c:\WINDOWS\System32\<!-- exec: 0.044420003891 -->
O4 - HKLM\..\Run: [<!-- fingerprint: ] c:\WINDOWS\System32\<!-- fingerprint: -->
O4 - HKLM\..\Run: [<!-- rand: 34/100] c:\WINDOWS\System32\<!-- rand: 34/100 -->
O4 - HKLM\..\Run: [<!-- COOKIE OVERRIDE : 12] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 12 -->
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.c] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">Click here to enter<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- exec: 0.0439901351929] c:\WINDOWS\System32\<!-- exec: 0.0439901351929 -->
O4 - HKLM\..\Run: [<!-- service: 6] c:\WINDOWS\System32\<!-- service: 6 -->
O4 - HKLM\..\Run: [<!-- rand: 82/100] c:\WINDOWS\System32\<!-- rand: 82/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0345540046692] c:\WINDOWS\System32\<!-- exec: 0.0345540046692 -->
O4 - HKLM\..\Run: [<!-- rand: 95/100] c:\WINDOWS\System32\<!-- rand: 95/100 -->
O4 - HKLM\..\Run: [<!-- COOKIE OVERRIDE : 6] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 6 -->
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.c] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">Click here to enter<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- exec: 0.0676300525665] c:\WINDOWS\System32\<!-- exec: 0.0676300525665 -->
O4 - HKLM\..\Run: [<!-- service: 1] c:\WINDOWS\System32\<!-- service: 1 -->
O4 - HKLM\..\Run: [<!-- rand: 6/100] c:\WINDOWS\System32\<!-- rand: 6/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0330901145935] c:\WINDOWS\System32\<!-- exec: 0.0330901145935 -->
O4 - HKLM\..\Run: [<!-- rand: 83/100] c:\WINDOWS\System32\<!-- rand: 83/100 -->
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.186.21.78&hl=] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.186.21.78&hl=en">
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.186.21.78&hl=en">Click here to enter<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.186.21.78&hl=en">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- exec: 0.038477897644] c:\WINDOWS\System32\<!-- exec: 0.038477897644 -->
O4 - HKLM\..\Run: [<!-- service: 2] c:\WINDOWS\System32\<!-- service: 2 -->
O4 - HKLM\..\Run: [<!-- rand: 55/100] c:\WINDOWS\System32\<!-- rand: 55/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0570690631866] c:\WINDOWS\System32\<!-- exec: 0.0570690631866 -->
O4 - HKLM\..\Run: [<!-- rand: 33/100] c:\WINDOWS\System32\<!-- rand: 33/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0335528850555] c:\WINDOWS\System32\<!-- exec: 0.0335528850555 -->
O4 - HKLM\..\Run: [<!-- rand: 56/100] c:\WINDOWS\System32\<!-- rand: 56/100 -->
O4 - HKLM\..\Run: [<!-- COOKIE OVERRIDE : 1] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->
O4 - HKLM\..\Run: [<!-- exec: 20.7493550777] c:\WINDOWS\System32\<!-- exec: 20.7493550777 -->
O4 - HKLM\..\Run: [<!-- rand: 12/100] c:\WINDOWS\System32\<!-- rand: 12/100 -->
O4 - HKLM\..\Run: [<!-- exec: 15.0407881737] c:\WINDOWS\System32\<!-- exec: 15.0407881737 -->
O4 - HKLM\..\Run: [<!-- rand: 76/100] c:\WINDOWS\System32\<!-- rand: 76/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0449440479279] c:\WINDOWS\System32\<!-- exec: 0.0449440479279 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0912301540375] c:\WINDOWS\System32\<!-- exec: 0.0912301540375 -->
O4 - HKLM\..\Run: [<!-- rand: 53/100] c:\WINDOWS\System32\<!-- rand: 53/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.0342428684235] c:\WINDOWS\System32\<!-- exec: 0.0342428684235 -->
O4 - HKLM\..\Run: [<!-- rand: 52/100] c:\WINDOWS\System32\<!-- rand: 52/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10171008110046] c:\WINDOWS\System32\<!-- exec: 0.10171008110046 -->
O4 - HKLM\..\Run: [<!-- OK] c:\WINDOWS\System32\<!-- OK -->
O4 - HKLM\..\Run: [<!-- exec: 0.10559892654419] c:\WINDOWS\System32\<!-- exec: 0.10559892654419 -->
O4 - HKLM\..\Run: [<!-- rand: 80/100] c:\WINDOWS\System32\<!-- rand: 80/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10434198379517] c:\WINDOWS\System32\<!-- exec: 0.10434198379517 -->
O4 - HKLM\..\Run: [<!-- rand: 28/100] c:\WINDOWS\System32\<!-- rand: 28/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10022377967834] c:\WINDOWS\System32\<!-- exec: 0.10022377967834 -->
O4 - HKLM\..\Run: [<!-- rand: 47/100] c:\WINDOWS\System32\<!-- rand: 47/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10236501693726] c:\WINDOWS\System32\<!-- exec: 0.10236501693726 -->
O4 - HKLM\..\Run: [<!-- rand: 7/100] c:\WINDOWS\System32\<!-- rand: 7/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10020303726196] c:\WINDOWS\System32\<!-- exec: 0.10020303726196 -->
O4 - HKLM\..\Run: [<!-- rand: 35/100] c:\WINDOWS\System32\<!-- rand: 35/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10652709007263] c:\WINDOWS\System32\<!-- exec: 0.10652709007263 -->
O4 - HKLM\..\Run: [<!-- rand: 78/100] c:\WINDOWS\System32\<!-- rand: 78/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10585618019104] c:\WINDOWS\System32\<!-- exec: 0.10585618019104 -->
O4 - HKLM\..\Run: [<!-- rand: 87/100] c:\WINDOWS\System32\<!-- rand: 87/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10145711898804] c:\WINDOWS\System32\<!-- exec: 0.10145711898804 -->
O4 - HKLM\..\Run: [<!-- rand: 92/100] c:\WINDOWS\System32\<!-- rand: 92/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10100793838501] c:\WINDOWS\System32\<!-- exec: 0.10100793838501 -->
O4 - HKLM\..\Run: [<!-- rand: 43/100] c:\WINDOWS\System32\<!-- rand: 43/100 -->
O4 - HKLM\..\Run: [<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d] c:\WINDOWS\System32\<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
O4 - HKLM\..\Run: [<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="] c:\WINDOWS\System32\<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
O4 - HKLM\..\Run: [ <meta http-equiv="content-type" content="text/html; charset=iso-8859-] c:\WINDOWS\System32\ <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
O4 - HKLM\..\Run: [ <title>Comcast.net</ti] c:\WINDOWS\System32\ <title>Comcast.net</title>
O4 - HKLM\..\Run: [ <link rel="stylesheet" href="images/wg.css" type="text/css" media="screen,prin] c:\WINDOWS\System32\ <link rel="stylesheet" href="images/wg.css" type="text/css" media="screen,print"/>
O4 - HKLM\..\Run: [<body id="comcastn] c:\WINDOWS\System32\<body id="comcastnet">
O4 - HKLM\..\Run: [<!-- Start Container] c:\WINDOWS\System32\<!-- Start Container -->
O4 - HKLM\..\Run: [<div id="contain] c:\WINDOWS\System32\<div id="container">
O4 - HKLM\..\Run: [ <!-- Start Header] c:\WINDOWS\System32\ <!-- Start Header -->
O4 - HKLM\..\Run: [ <div id="head] c:\WINDOWS\System32\ <div id="header">
O4 - HKLM\..\Run: [ <h1><a href="http://www.comcast.net/" title="Home" accesskey="0"><span>Comcast</span></a><] c:\WINDOWS\System32\ <h1><a href="http://www.comcast.net/" title="Home" accesskey="0"><span>Comcast</span></a></h1>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ <div id="conte] c:\WINDOWS\System32\ <div id="content">
O4 - HKLM\..\Run: [ <!-- START CONTENT (content goes here)] c:\WINDOWS\System32\ <!-- START CONTENT (content goes here) -->
O4 - HKLM\..\Run: [ <h2 id="h-welcome">Welcome to Comcast High Speed Internet, The fast and easy way to get online<] c:\WINDOWS\System32\ <h2 id="h-welcome">Welcome to Comcast High Speed Internet, The fast and easy way to get online</h2>
O4 - HKLM\..\Run: [ <p>This installation process will take just a few minutes to complete. You will be required to provide<br/> ] c:\WINDOWS\System32\ <p>This installation process will take just a few minutes to complete. You will be required to provide<br/> your
O4 - HKLM\..\Run: [ account information to complete registration.] c:\WINDOWS\System32\ account information to complete registration.</p>
O4 - HKLM\..\Run: [ <div id="column-contain] c:\WINDOWS\System32\ <div id="column-container">
O4 - HKLM\..\Run: [ <div id="col1-wrapp] c:\WINDOWS\System32\ <div id="col1-wrapper">
O4 - HKLM\..\Run: [ <h3>New Customers<] c:\WINDOWS\System32\ <h3>New Customers</h3>
O4 - HKLM\..\Run: [ <img class="thumbnail" src="images/thumbnails/new_customers.jpg" alt="New Customer] c:\WINDOWS\System32\ <img class="thumbnail" src="images/thumbnails/new_customers.jpg" alt="New Customers"/>
O4 - HKLM\..\Run: [ <p class="last">You will need to activate your account and create your Comcast.net email address] c:\WINDOWS\System32\ <p class="last">You will need to activate your account and create your Comcast.net email address and
O4 - HKLM\..\Run: [ password. To continue, please follow the installation instructions.] c:\WINDOWS\System32\ password. To continue, please follow the installation instructions.</p>
O4 - HKLM\..\Run: [ <div class="clear"></] c:\WINDOWS\System32\ <div class="clear"></div>
O4 - HKLM\..\Run: [ <p>Click the "Download" button below to download the Comcast installation software and begin] c:\WINDOWS\System32\ <p>Click the "Download" button below to download the Comcast installation software and begin the
O4 - HKLM\..\Run: [ installation process for new customers.] c:\WINDOWS\System32\ installation process for new customers.</p>
O4 - HKLM\..\Run: [ <p class="last"><em>Note:</em> Please temporarily disable any firewall, anti-virus and po] c:\WINDOWS\System32\ <p class="last"><em>Note:</em> Please temporarily disable any firewall, anti-virus and pop-up
O4 - HKLM\..\Run: [ blocking software currently running on your computer before running the installation soft] c:\WINDOWS\System32\ blocking software currently running on your computer before running the installation software
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ </p>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ <div id="col2-wrapp] c:\WINDOWS\System32\ <div id="col2-wrapper">
O4 - HKLM\..\Run: [ <div id="co] c:\WINDOWS\System32\ <div id="col2">
O4 - HKLM\..\Run: [ <h3>Existing Customers<] c:\WINDOWS\System32\ <h3>Existing Customers</h3>
O4 - HKLM\..\Run: [ <img class="thumbnail" src="images/thumbnails/existing_customers.jpg" alt="Existing Customer] c:\WINDOWS\System32\ <img class="thumbnail" src="images/thumbnails/existing_customers.jpg" alt="Existing Customers"/>
O4 - HKLM\..\Run: [ <p class="last">If you have a Comcast.net email address and password, please follow the installa] c:\WINDOWS\System32\ <p class="last">If you have a Comcast.net email address and password, please follow the installation
O4 - HKLM\..\Run: [ instructions.] c:\WINDOWS\System32\ instructions.</p>
O4 - HKLM\..\Run: [ <h4>Installation Instructions<] c:\WINDOWS\System32\ <h4>Installation Instructions</h4>
O4 - HKLM\..\Run: [ installation process for existing customers.] c:\WINDOWS\System32\ installation process for existing customers.</p>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ <div class="clear"></] c:\WINDOWS\System32\ <div class="clear"></div>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ <div id="button-contain] c:\WINDOWS\System32\ <div id="button-container">
O4 - HKLM\..\Run: [ <!-- <p class="buttons"><a href="http://cdn/downloadable_install_wizard.exe"><img src="images/buttons/downloadinstallation.gif" alt="Download Installation Software" /></a></p>] c:\WINDOWS\System32\ <!-- <p class="buttons"><a href="http://cdn/downloadable_install_wizard.exe"><img src="images/buttons/downloadinstallation.gif" alt="Download Installation Software" /></a></p> -->
O4 - HKLM\..\Run: [ <!-- END CONTENT] c:\WINDOWS\System32\ <!-- END CONTENT -->
O4 - HKLM\..\Run: [ <div id="foot] c:\WINDOWS\System32\ <div id="footer">
O4 - HKLM\..\Run: [ <li id="copyright"><a href="http://www.comcast.com/" rel="external">&copy; <sc] c:\WINDOWS\System32\ <li id="copyright"><a href="http://www.comcast.com/" rel="external">&copy; <script
O4 - HKLM\..\Run: [ Communications, LLC. All rights reserved.</a><] c:\WINDOWS\System32\ Communications, LLC. All rights reserved.</a></li>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </ul>
O4 - HKLM\..\Run: [</] c:\WINDOWS\System32\</div>
O4 - HKLM\..\Run: [<!-- End Container] c:\WINDOWS\System32\<!-- End Container -->
O4 - HKLM\..\Run: [<script type="text/javascri] c:\WINDOWS\System32\<script type="text/javascript">
O4 - HKLM\..\Run: [ if ((navigator.appVersion.indexOf("Win") == -1) && (navigator.appVersion.indexOf("Mac") == -1] c:\WINDOWS\System32\ if ((navigator.appVersion.indexOf("Win") == -1) && (navigator.appVersion.indexOf("Mac") == -1)) {
O4 - HKLM\..\Run: [ document.getElementById("content").innerHTML = "<h3>Your operating system is not supported by Comcast's Installation Wizard. Please call 1-800-COMCAST to setup your account.</h] c:\WINDOWS\System32\ document.getElementById("content").innerHTML = "<h3>Your operating system is not supported by Comcast's Installation Wizard. Please call 1-800-COMCAST to setup your account.</h3>";
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ if (navigator.appVersion.indexOf("Mac") != -] c:\WINDOWS\System32\ if (navigator.appVersion.indexOf("Mac") != -1) {
O4 - HKLM\..\Run: [ downloadFile = "ComcastInstaller.h] c:\WINDOWS\System32\ downloadFile = "ComcastInstaller.hqx";
O4 - HKLM\..\Run: [ el] c:\WINDOWS\System32\ else {
O4 - HKLM\..\Run: [ downloadFile = "downloadable_install_wizard.e] c:\WINDOWS\System32\ downloadFile = "downloadable_install_wizard.exe";
O4 - HKLM\..\Run: [ document.getElementById("button-container").innerHTML = "<p class=\"buttons\"><a href=\"http://cdn] c:\WINDOWS\System32\ document.getElementById("button-container").innerHTML = "<p class=\"buttons\"><a href=\"http://cdn/" +
O4 - HKLM\..\Run: [ downloadFi] c:\WINDOWS\System32\ downloadFile +
O4 - HKLM\..\Run: [ "\"><img src=\"images/buttons/downloadinstallation.gif\" alt=\"Download Installation Software\" /></a></] c:\WINDOWS\System32\ "\"><img src=\"images/buttons/downloadinstallation.gif\" alt=\"Download Installation Software\" /></a></p>";
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<!-- exec: 0.10123705863953] c:\WINDOWS\System32\<!-- exec: 0.10123705863953 -->
O4 - HKLM\..\Run: [<!-- ip: 67.171.78.51] c:\WINDOWS\System32\<!-- ip: 67.171.78.51 -->
O4 - HKLM\..\Run: [<!-- fingerprint: 764c8d3ee6e99674d83cd7db31fc0641] c:\WINDOWS\System32\<!-- fingerprint: 764c8d3ee6e99674d83cd7db31fc0641 -->
O4 - HKLM\..\Run: [<!-- rand: 79/100] c:\WINDOWS\System32\<!-- rand: 79/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10562801361084] c:\WINDOWS\System32\<!-- exec: 0.10562801361084 -->
O4 - HKLM\..\Run: [<!-- rand: 88/100] c:\WINDOWS\System32\<!-- rand: 88/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10561418533325] c:\WINDOWS\System32\<!-- exec: 0.10561418533325 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10589599609375] c:\WINDOWS\System32\<!-- exec: 0.10589599609375 -->
O4 - HKLM\..\Run: [<!-- rand: 13/100] c:\WINDOWS\System32\<!-- rand: 13/100 -->
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.171.78.51&hl=] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.171.78.51&hl=en">
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.171.78.51&hl=en">Click here to enter<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=67.171.78.51&hl=en">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- exec: 0.10110902786255] c:\WINDOWS\System32\<!-- exec: 0.10110902786255 -->
O4 - HKLM\..\Run: [<!-- rand: 61/100] c:\WINDOWS\System32\<!-- rand: 61/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10318779945374] c:\WINDOWS\System32\<!-- exec: 0.10318779945374 -->
O4 - HKLM\..\Run: [<!-- rand: 93/100] c:\WINDOWS\System32\<!-- rand: 93/100 -->
O4 - HKLM\..\Run: [<!-- COOKIE OVERRIDE : 2] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 2 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10375714302063] c:\WINDOWS\System32\<!-- exec: 0.10375714302063 -->
O4 - HKLM\..\Run: [<!-- rand: 5/100] c:\WINDOWS\System32\<!-- rand: 5/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10395789146423] c:\WINDOWS\System32\<!-- exec: 0.10395789146423 -->
O4 - HKLM\..\Run: [<!-- exec: 0.11376881599426] c:\WINDOWS\System32\<!-- exec: 0.11376881599426 -->
O4 - HKLM\..\Run: [<!-- rand: 16/100] c:\WINDOWS\System32\<!-- rand: 16/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10299301147461] c:\WINDOWS\System32\<!-- exec: 0.10299301147461 -->
O4 - HKLM\..\Run: [<!-- rand: 97/100] c:\WINDOWS\System32\<!-- rand: 97/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10483002662659] c:\WINDOWS\System32\<!-- exec: 0.10483002662659 -->
O4 - HKLM\..\Run: [<!-- rand: 41/100] c:\WINDOWS\System32\<!-- rand: 41/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10119295120239] c:\WINDOWS\System32\<!-- exec: 0.10119295120239 -->
O4 - HKLM\..\Run: [<!-- rand: 19/100] c:\WINDOWS\System32\<!-- rand: 19/100 -->
O4 - HKLM\..\Run: [<!-- FINGERPRINT OVERRIDE : 1] c:\WINDOWS\System32\<!-- FINGERPRINT OVERRIDE : 1 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10354089736938] c:\WINDOWS\System32\<!-- exec: 0.10354089736938 -->
O4 - HKLM\..\Run: [<!-- exec: 0.099983930587769] c:\WINDOWS\System32\<!-- exec: 0.099983930587769 -->
O4 - HKLM\..\Run: [<!-- rand: 20/100] c:\WINDOWS\System32\<!-- rand: 20/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10819411277771] c:\WINDOWS\System32\<!-- exec: 0.10819411277771 -->
O4 - HKLM\..\Run: [<!-- rand: 48/100] c:\WINDOWS\System32\<!-- rand: 48/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10457301139832] c:\WINDOWS\System32\<!-- exec: 0.10457301139832 -->
O4 - HKLM\..\Run: [<!-- rand: 32/100] c:\WINDOWS\System32\<!-- rand: 32/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10304498672485] c:\WINDOWS\System32\<!-- exec: 0.10304498672485 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10359501838684] c:\WINDOWS\System32\<!-- exec: 0.10359501838684 -->
O4 - HKLM\..\Run: [<!-- rand: 3/100] c:\WINDOWS\System32\<!-- rand: 3/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10336899757385] c:\WINDOWS\System32\<!-- exec: 0.10336899757385 -->
O4 - HKLM\..\Run: [<!-- exec: 0.1005539894104] c:\WINDOWS\System32\<!-- exec: 0.1005539894104 -->
O4 - HKLM\..\Run: [<!-- rand: 22/100] c:\WINDOWS\System32\<!-- rand: 22/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10196805000305] c:\WINDOWS\System32\<!-- exec: 0.10196805000305 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10026407241821] c:\WINDOWS\System32\<!-- exec: 0.10026407241821 -->
O4 - HKLM\..\Run: [<!-- rand: 69/100] c:\WINDOWS\System32\<!-- rand: 69/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.1027729511261] c:\WINDOWS\System32\<!-- exec: 0.1027729511261 -->
O4 - HKLM\..\Run: [<!-- rand: 25/100] c:\WINDOWS\System32\<!-- rand: 25/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10346508026123] c:\WINDOWS\System32\<!-- exec: 0.10346508026123 -->
O4 - HKLM\..\Run: [<!-- rand: 49/100] c:\WINDOWS\System32\<!-- rand: 49/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.1010890007019] c:\WINDOWS\System32\<!-- exec: 0.1010890007019 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10237598419189] c:\WINDOWS\System32\<!-- exec: 0.10237598419189 -->
O4 - HKLM\..\Run: [<!-- rand: 51/100] c:\WINDOWS\System32\<!-- rand: 51/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10342216491699] c:\WINDOWS\System32\<!-- exec: 0.10342216491699 -->
O4 - HKLM\..\Run: [<!-- rand: 45/100] c:\WINDOWS\System32\<!-- rand: 45/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10043501853943] c:\WINDOWS\System32\<!-- exec: 0.10043501853943 -->
O4 - HKLM\..\Run: [<!-- rand: 42/100] c:\WINDOWS\System32\<!-- rand: 42/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.101646900177] c:\WINDOWS\System32\<!-- exec: 0.101646900177 -->
O4 - HKLM\..\Run: [<!-- rand: 86/100] c:\WINDOWS\System32\<!-- rand: 86/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10339784622192] c:\WINDOWS\System32\<!-- exec: 0.10339784622192 -->
O4 - HKLM\..\Run: [<!-- rand: 23/100] c:\WINDOWS\System32\<!-- rand: 23/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10149693489075] c:\WINDOWS\System32\<!-- exec: 0.10149693489075 -->
O4 - HKLM\..\Run: [<!-- rand: 99/100] c:\WINDOWS\System32\<!-- rand: 99/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10472106933594] c:\WINDOWS\System32\<!-- exec: 0.10472106933594 -->
O4 - HKLM\..\Run: [<!-- rand: 60/100] c:\WINDOWS\System32\<!-- rand: 60/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10372400283813] c:\WINDOWS\System32\<!-- exec: 0.10372400283813 -->
O4 - HKLM\..\Run: [<!-- rand: 63/100] c:\WINDOWS\System32\<!-- rand: 63/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10618209838867] c:\WINDOWS\System32\<!-- exec: 0.10618209838867 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10313606262207] c:\WINDOWS\System32\<!-- exec: 0.10313606262207 -->
O4 - HKLM\..\Run: [<!-- rand: 62/100] c:\WINDOWS\System32\<!-- rand: 62/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.1074321269989] c:\WINDOWS\System32\<!-- exec: 0.1074321269989 -->
O4 - HKLM\..\Run: [<!-- rand: 64/100] c:\WINDOWS\System32\<!-- rand: 64/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10236811637878] c:\WINDOWS\System32\<!-- exec: 0.10236811637878 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10325598716736] c:\WINDOWS\System32\<!-- exec: 0.10325598716736 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10746097564697] c:\WINDOWS\System32\<!-- exec: 0.10746097564697 -->
O4 - HKLM\..\Run: [<!-- exec: 0.099727153778076] c:\WINDOWS\System32\<!-- exec: 0.099727153778076 -->
O4 - HKLM\..\Run: [<!-- rand: 10/100] c:\WINDOWS\System32\<!-- rand: 10/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10788512229919] c:\WINDOWS\System32\<!-- exec: 0.10788512229919 -->
O4 - HKLM\..\Run: [<!-- rand: 2/100] c:\WINDOWS\System32\<!-- rand: 2/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10714602470398] c:\WINDOWS\System32\<!-- exec: 0.10714602470398 -->
O4 - HKLM\..\Run: [<!-- rand: 77/100] c:\WINDOWS\System32\<!-- rand: 77/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.101970911026] c:\WINDOWS\System32\<!-- exec: 0.101970911026 -->
O4 - HKLM\..\Run: [<!-- rand: 81/100] c:\WINDOWS\System32\<!-- rand: 81/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10875797271729] c:\WINDOWS\System32\<!-- exec: 0.10875797271729 -->
O4 - HKLM\..\Run: [<!-- rand: 50/100] c:\WINDOWS\System32\<!-- rand: 50/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10423183441162] c:\WINDOWS\System32\<!-- exec: 0.10423183441162 -->
O4 - HKLM\..\Run: [<!-- rand: 27/100] c:\WINDOWS\System32\<!-- rand: 27/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10372495651245] c:\WINDOWS\System32\<!-- exec: 0.10372495651245 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10460901260376] c:\WINDOWS\System32\<!-- exec: 0.10460901260376 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10586714744568] c:\WINDOWS\System32\<!-- exec: 0.10586714744568 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10314702987671] c:\WINDOWS\System32\<!-- exec: 0.10314702987671 -->
O4 - HKLM\..\Run: [<!-- rand: 71/100] c:\WINDOWS\System32\<!-- rand: 71/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.1089141368866] c:\WINDOWS\System32\<!-- exec: 0.1089141368866 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10111403465271] c:\WINDOWS\System32\<!-- exec: 0.10111403465271 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10208296775818] c:\WINDOWS\System32\<!-- exec: 0.10208296775818 -->
O4 - HKLM\..\Run: [<!-- exec: 0.1041579246521] c:\WINDOWS\System32\<!-- exec: 0.1041579246521 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10430216789246] c:\WINDOWS\System32\<!-- exec: 0.10430216789246 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10242414474487] c:\WINDOWS\System32\<!-- exec: 0.10242414474487 -->
O4 - HKLM\..\Run: [<!-- rand: 57/100] c:\WINDOWS\System32\<!-- rand: 57/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.099711179733276] c:\WINDOWS\System32\<!-- exec: 0.099711179733276 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10356187820435] c:\WINDOWS\System32\<!-- exec: 0.10356187820435 -->
O4 - HKLM\..\Run: [<!-- rand: 91/100] c:\WINDOWS\System32\<!-- rand: 91/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10599493980408] c:\WINDOWS\System32\<!-- exec: 0.10599493980408 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10493898391724] c:\WINDOWS\System32\<!-- exec: 0.10493898391724 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10103702545166] c:\WINDOWS\System32\<!-- exec: 0.10103702545166 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10199117660522] c:\WINDOWS\System32\<!-- exec: 0.10199117660522 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10879015922546] c:\WINDOWS\System32\<!-- exec: 0.10879015922546 -->
O4 - HKLM\..\Run: [<!-- rand: 74/100] c:\WINDOWS\System32\<!-- rand: 74/100 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10212016105652] c:\WINDOWS\System32\<!-- exec: 0.10212016105652 -->
O4 - HKLM\..\Run: [<!-- rand: 59/100] c:\WINDOWS\System32\<!-- rand: 59/100 -->
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Copyright ?? 2003 Reflex Publishing, Inc. All rights reserved. tampa.com is a trademark of Reflex Publishing, Inc.] c:\WINDOWS\System32\Copyright ?? 2003 Reflex Publishing, Inc. All rights reserved. tampa.com is a trademark of Reflex Publishing, Inc.<br>
O4 - HKCU\..\Run: [document.write ('<ifr

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 10 November 2006 - 04:36 PM

Hi there :thumbsup:

That is one strange looking log. Any idea where you might have picked up this infection?

Much of your log got cut off. Can I get you to upload it here please:

http://www.uploadmalware.com

fill in your forum name, link to this thread.
click on the "browse" button beside the first field for files to upload.
Look for your hijackthis.log and press "open".

Press "submit" to upload the file.

I'll be notified when I get it.

thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 11 November 2006 - 10:13 AM

I'm not sure as to where or how this infection was contracted. I'm attempting to repair my girlfreind' PC for her...

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 11 November 2006 - 10:35 AM

Hi again,

thanks for the log.

Can I also get you to upload these files:

C:\WINDOWS\Speech\vbdoc.exe
C:\WINDOWS\security\Database\ftpcab.exe
C:\WINDOWS\security\catmsvc.exe
C:\WINDOWS\system32\llass.exe
C:\Program Files\Network\ipnetwork.exe

to http://www.uploadmalware.com please.
They will all go in 1 page ok.

Then I need to see uninstall list please:

Start hijackthis
Click "open misc tools section"
Click "open uninstall manager"
Click "save list..."
Save the list someplace & post it here.

I see you have both Norton & AVG installed. Is norton expired?

I'll be back in a bit with some fixin to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 11 November 2006 - 11:14 AM

Here's the uninstall list that you requested:

Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Photoshop CS
America Online (Choose which version to remove)
AOL Instant Messenger
ArcSoft PhotoImpression 3.0
AVG Free Edition
Belkin 54g USB Network Adapter
buddylinks Messaging Integration
Conexant HSF V92 56K Data Fax PCI Modem
DelFin Media Viewer
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dolet Light for Finale
Easy CD Creator 5 Basic
Enhanced MediaLoads
EPSON Copy Utility
EPSON Online Reference Guide
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN FB
Finale 2003
Finale NotePad 2003
Finale NotePad 2005a
HijackThis 1.99.1
Intel® 845G Chipset Graphics Driver Software
iPod for Windows 2006-03-23
iPod Updater 2004-08-06
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
Kazaa Lite K++ v2.4.3
Kazaa Media Desktop 2.1
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.12.6
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash Player 8
MediaLoads
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Professional
Microsoft Picture It! Photo 2002
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MUSICMATCH® Jukebox
Nimo Codecs Pack v5.0 (Remove Only)
Norton AntiVirus 2003 Professional Edition
Norton WMI Update
Paint Shop Pro 7
PhoneTools
PRO200WL
PSD Tools ChannelUp v1.0 (remove only)
QuickTime
RealOne Player
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Shockwave
Snood for Windows version 3.01-W
Spybot - Search & Destroy 1.4
Unreal
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Media Player
Win Favorites
Winamp3 (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPcap 3.0
Yahoo! Photos Easy Upload Tool 1v2

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 11 November 2006 - 11:36 AM

I'm baaaaack :thumbsup:

Please go to add/remove programs and uninstall the following:

buddylinks Messaging Integration
Enhanced MediaLoads
MediaLoads
PSD Tools ChannelUp v1.0 (remove only)
Win Favorites


I also suggest uninstalling the following programs.
They will bring you malware and are dangerous to use. You have no idea who you download from with p2p programs.

If you have mp3s or whatever in your shared folders, better move them because uninstalling these programs may delete those folders.

Kazaa Lite K++ v2.4.3
Kazaa Media Desktop 2.1
LimeWire 4.12.6

Reboot once done.

Print these instructions or save them to notepad file. you will not have access to this page in safe mode

Attached to my post is a file called fixme.zip
Please download it and unzip it to your desktop.
You should have file called fixme.reg and it should look like a set of blue blocks.
Do not run it yet.

This attachment is specifically for this computer. If anyone else tries to run it it may damage your system!!

Once you have downloaded the attachment I will remove it from my post.

Next........

Download the FixVundo.exe file from: http://securityresponse.symantec.com/avcenter/FixVundo.exe
Save the file to a convenient location, such as your Windows desktop.
Disconnect the computer from the network and the Internet.
Start the computer in SAFE mode. (Tap F8 as computer is booting up just after the BIOS screen but before the windows loadding screen, then choose "safe mode" from list with arrow keys and hit enter.)

log into the normal user account. NOT admin.

Locate the file that you just downloaded.
Double-click the FixVundo.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run till done.

Restart the computer back to SAFE mode.
Run the removal tool again to ensure that the system is clean.
While still in safe mode...
Double click fixme.reg you downloaded earlier and say yes to the prompt.
You should get success message.

While still in safe mode...
Click start> run> type cmd.exe and hit enter.
Type in this command and hit enter.

del c:\windows\system32\drivers\etc\hosts

Exit the cmd window.

Open Hijackthis
Run system scan and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdirs.com/?aff=1020
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdirs.com/?aff=1020
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/?aff=1020
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020
O2 - BHO: (no name) - {C12FF2E5-B17D-260A-984F-CCEE57891CFA} - C:\WINDOWS\system32\hbunzoxl.dll (file missing)
R3 - Default URLSearchHook is missing


Close all other open windows and click "Fix checked". OK the prompt.

At lower right of hijackthis click "Config"
Click "Misc tools" at top.
Click "host file manager"

When you get the prompt telling you "Hosts file does not exist. Would you like hijackthis to create one?"

Say OK/Yes.

Exit hijackthis and reboot.

Reconnect to the internet and post:

Log from FixVundo (should be on your desktop called FixVundo.txt)
New hijackthis log (it should fit here now)--Leave Hijackthis open for next log.

Click "config" at lower right of hijackthis
Click "misc tools"
Beside "Generate startuplist log" check both:
"Show also minow sections(full)"
"show empty sections(complete)"

click "Generate startuplist log" and say OK.

Post results.

It may take 2 posts to fit the 3 logs.

Let me know how things are running.

There will be more to do.

Thanks :flowers:

Edited by Blender, 12 November 2006 - 03:08 PM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 12 November 2006 - 02:57 AM

corllja; doing OK?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 12 November 2006 - 04:08 AM

sorry man...i've been busy all day, school's kicking my ass! i'm going to proceed with your recommended steps now....SORRY FOR THE WAIT MAN!!

#9 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 12 November 2006 - 01:02 PM

Okay, so I've scanned the PC twice in safe mode with FixVundo.exe. Both times the search has come back with no results...how should I proceed?

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 12 November 2006 - 03:07 PM

Hi there, sorry for my delay.
I'm still rebuilding my main system that blew up on me the other day

FixVundo found nothing eh? Possible the files were not present and just had left-overs in your log.

Go ahead and post the logs I asked for please.

Since Symantec's tool didn't find any Vundo there will not be much to log.
Just the hijackthis & startuplist should be good for now.

How is the system running by the way?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 14 November 2006 - 01:20 PM

Once again I apologize, I haven't been here at my girlfreind's house in a while...

So, I booted the computer in safe mode logged in as the regular user. I was unable to delete the hosts file. It just gave me an "access denied" message. I then rebooted in safe mode yet again and logged in as Admin. thinking maybe the priviledge would help, once again I was denied.

I did however seem to have success deleting all the files via hijackthis, except for all those O1's that is. Here's my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:17 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: ing.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: ns.com
O1 - Hosts: ns.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ions.com
O1 - Hosts: ions.com
O1 - Hosts: tions.com
O1 - Hosts: tions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: lutions.com
O1 - Hosts: lutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: solutions.com
O1 - Hosts: solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: earchweb2.com
O1 - Hosts: earchweb2.com
O1 - Hosts: 127
O1 - Hosts: w.zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: 127.0.0.
O1 - Hosts: om
O1 - Hosts: 12
O1 - Hosts: om
O1 - Hosts: 2.com
O1 - Hosts: web2.com
O1 - Hosts: rchweb2.com
O1 - Hosts: 127.0.0
O1 - Hosts: earchweb2.com
O1 - Hosts: 127.0yahoo.3721.com
O1 - Hosts: 127.0
O1 - Hosts: 127.0.0
O1 - Hosts: 127.0.0
O1 - Hosts: 1.xml.411web.com
O1 - Hosts: 1
O1 - Hosts: 127.
O1 - Hosts: 127.
O1 - Hosts: om
O1 - Hosts: 2.com
O1 - Hosts: web2.com
O1 - Hosts: rchweb2.com
O1 - Hosts: 127.
O1 - Hosts: earchweb2.com
O1 - Hosts: 127.0.0.ailcash.com
O1 - Hosts: 127.0.0.
O1 - Hosts: w.searchweb2.com
O1 - Hosts: 1
O1 - Hosts: 127.0.0.feroptimizer.com
O1 - Hosts: 127.0.0.
O1 - Hosts: 127.0offeroptimizer.com
O1 - Hosts: 127.0
O1 - Hosts: m
O1 - Hosts: 127.0.offeroptimizer.com
O1 - Hosts: 127.0.
O1 - Hosts: m
O1 - Hosts: 127.0..offeroptimizer.com
O1 - Hosts: 127.0.
O1 - Hosts: com
O1 - Hosts: 1
O1 - Hosts: .com
O1 - Hosts: m
O1 - Hosts: 2.com
O1 - Hosts: com
O1 - Hosts: eb2.com
O1 - Hosts: .com
O1 - Hosts: chweb2.com
O1 - Hosts: 127.0.www1.iwon.com
O1 - Hosts: 127.0.
O1 - Hosts: ar.com
O1 - Hosts: archweb2.com
O1 - Hosts: 127.0.0olbar.com
O1 - Hosts: 127.0.0
O1 - Hosts: lbar.com
O1 - Hosts: 127.0.0.com
O1 - Hosts: 127.0.0.
O1 - Hosts: oolbar.com
O1 - Hosts: w.searchweb2.com
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.searchweb2.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: m
O1 - Hosts: nitedvending.net
O1 - Hosts: m
O1 - Hosts: -tech.com
O1 - Hosts: om
O1 - Hosts: com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/12468b19ed2c26efe121/...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_2us.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

To answer your question, the system has been running much better since I started working on it. Her computer was disgusting every time she would load a new page a System32 window would pop up--and it was so slow! My Athalon 660 was like 5X faster than her Pentium 1.2!

#12 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 14 November 2006 - 01:56 PM

Update:

So, I tried again and was able to delete the host file. Here is a revised log file:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/12468b19ed2c26efe121/...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_2us.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 17 November 2006 - 03:33 AM

Hi;

Sorry for delay. I got caught up in other work stuff.

Log sure does look alot better! Good work! :thumbsup:

You were able to replace the hosts file OK with hijackthis?

Question...

You have 2 antivirus installed. Is Norton expired?
If Norton is expired I suggest uninstalling it.
You can do this in add/remove programs.
There will be a few components to remove.
Uninstall in the following order please.

1.) Norton AntiVirus 2003 Professional Edition
2.) LiveReg (Symantec Corporation)
3.) LiveUpdate 2.5 (Symantec Corporation)

It will take a few reboots to get it all done.

Few things to fix with Hijackthis.

Start hijackthis.
Run system scan only and check the following items:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/12468b19ed2c26efe121/...ip/RdxIE601.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab


Once checked, close ALL open windows and click "fix checked".

Exit Hijackthis and reboot.

Please post a new hijackthis log and let me know how things are running.

There will be some more work to do.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 corllja

corllja
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 20 November 2006 - 08:38 AM

I did replace the hosts file with hijackthis. I also removed the norton av that wasn't in use.

Here's a new log with the files removed:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_2us.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:47 AM

Posted 22 November 2006 - 04:35 PM

Hi :thumbsup:

Log looks good.

I would like to double check with an online scan we don't have any dormant baddies kicking around.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users