Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me, I've Been Hijacked!


  • This topic is locked This topic is locked
9 replies to this topic

#1 bp2927

bp2927

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 08 January 2007 - 10:59 AM

OMG OMG OMG
Hello I have been hijacked and must always be in safe mode because it knows I want to delete it.
Please help I would appreciate it so much.


Logfile of HijackThis v1.99.1
Scan saved at 8:46:45 AM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\BRIAN\LOCALS~1\Temp\Rar$EX00.765\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060905
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060905
F3 - REG:win.ini: load=C:\WINDOWS\system32\glgwwx\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\glgwwx\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: (no name) - {49DEDC8E-71A8-4344-360E-FA865B87FF9C} - C:\DOCUME~1\BRIAN\APPLIC~1\SETTIN~1\window wipe.exe (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30697~1\Bar888.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30697~1\Bar888.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cdrom New 64 32] C:\Documents and Settings\All Users\Application Data\Dentpilecdromnew\Body Mags.exe
O4 - HKLM\..\Run: [{70697AAE-063C-1033-0728-060329060001}] "C:\Program Files\Common Files\{70697AAE-063C-1033-0728-060329060001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 7\LaunchList.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [fzmz] C:\PROGRA~1\COMMON~1\fzmz\fzmzm.exe
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167533221701
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 AM

Posted 08 January 2007 - 02:22 PM

Hello bp2927, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 AM

Posted 09 January 2007 - 10:07 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #2
Go to Start > Run. In the Run: field type appwiz.cpl and press the OK button. Uninstall the following programs (if they are listed):
Bar888
Ipwindows/IpWins
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN

... or anything similar with Oin in it.

NOTE: Remember that these programs may require you to reboot your computer to complete the uninstallation - just let them.

If you want to get rid of the MyGlobalSearch searchbar in Internet Explorer, uninstall MyGlobalSearch from the Add/Remove Programs list as well. MyGlobalSearch is an IE toolbar that displays popup advertisements based on your surfing habits. This parasite installs silently, and has been bundled with the Grokster peer-to-peer file sharing program in the past. This toolbar is also known as MSearch. Although this product does not claim to be spyware, it does slow your computer down. The product uses cookies to track usage, although it claims not to use cookies or anything else to track personally identifiable information. That being said, I would still recommend uninstalling the MyGlobalSearch toolbar, but it's up to you if you uninstall the searchbar or not.

Step #3
You are infected with a LOP infection. Download NoLop.exe to get rid of it.
Download NoLop.exe

Once downloaded, please follow these instructions to run the program:
1. Close all windows so that you have nothing open and are on the Desktop.
2. Double-click the NoLop.exe file to run the program.
3. When the program is loaded click on the button labelled "Search and Destroy". Your computer will now be scanned for infected files.
4. When scanning is finished, you will be prompted to reboot only if your computer is infected: click the OK button.
5. Click the "REBOOT" button. A Message should pop up from NoLop. If not, double-click the program again and it will finish.

NOTE: If you receive an error such as "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder. Then re-run the program.
Download mscomctl.ocx

Please post the entire contents of C:\NoLop.log as a reply to this post.

Step #4
Copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as findjobs.bat (save as type: All files) to the Desktop.
dir %Windir%\tasks /a h > files.txt
notepad files.txt
Go to the Desktop and double-click findjobs.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #5
I need to see another HijackThis log, but you need to extract (unzip) HijackThis first (otherwise the backups made when items are fixed won't be secure). The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis and save HijackThis_sfx to your Desktop.
Download HijackThis v.1.99.1

Once it is downloaded, double-click on the hijackthis_sfx.exe file and click the Unzip button. Then close the WinZip Self-Extractor window. Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it.
Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

When the HijackThis window opens, click on the button labelled "Do a system scan and save a logfile". HijackThis will perform a system scan, and when the scan is complete, Notepad will open up containing the scan results. The HijackThis log will be automatically saved to the HijackThis folder. Copy the entire contents of the new HijackThis log and post them here.

Step #6
Please provide me an uninstall list by performing these instructions:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the button labelled "Open Uninstall Manager...". You'll see a list of currently installed programs.
5. Click on the button labelled "Save list..." and specify where you would like to save the uninstall list.

When you press the Save button, Notepad will open up with the contents of that file. Copy and paste the contents of that Notepad file as a reply to this topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 bp2927

bp2927
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 09 January 2007 - 04:11 PM

I don't think it found anything but this is the nolop

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\BRIAN\My Documents
[1/9/2007]
[1:41:45 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Ati
C:\Documents and Settings\Administrator\Application Data\Gtek
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Digstream
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Wildtangent
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Brian\Application Data\Adobe
C:\Documents and Settings\Brian\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Brian\Application Data\Ati
C:\Documents and Settings\Brian\Application Data\Creative
C:\Documents and Settings\Brian\Application Data\Cyberlink
C:\Documents and Settings\Brian\Application Data\Google
C:\Documents and Settings\Brian\Application Data\Gtek
C:\Documents and Settings\Brian\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Brian\Application Data\Identities
C:\Documents and Settings\Brian\Application Data\Intervideo
C:\Documents and Settings\Brian\Application Data\Lavasoft
C:\Documents and Settings\Brian\Application Data\Leadertech
C:\Documents and Settings\Brian\Application Data\Macromedia
C:\Documents and Settings\Brian\Application Data\Microsoft
C:\Documents and Settings\Brian\Application Data\Mozilla
C:\Documents and Settings\Brian\Application Data\Playfirst
C:\Documents and Settings\Brian\Application Data\Real
C:\Documents and Settings\Brian\Application Data\Settingsmfcdokay -- EMPTY Directory
C:\Documents and Settings\Brian\Application Data\Sonic
C:\Documents and Settings\Brian\Application Data\Sun
C:\Documents and Settings\Brian\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Brian\Application Data\Syntrillium
C:\Documents and Settings\Default User\Application Data\Ati
C:\Documents and Settings\Default User\Application Data\Gtek
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

For the "find jobs" thing

Volume in drive C has no label.
Volume Serial Number is 7069-7AAE

Directory of C:\WINDOWS\tasks

01/03/2007 02:15 AM <DIR> .
01/03/2007 02:15 AM <DIR> ..
08/10/2004 03:00 AM 65 desktop.ini
01/09/2007 01:53 PM 6 SA.DAT
2 File(s) 71 bytes

Directory of C:\Documents and Settings\BRIAN\Desktop


the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:35:56 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060905
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060905
R3 - URLSearchHook: (no name) - {5E1BB96F-05F6-0E27-8178-0E12E236B1B6} - C:\WINDOWS\system32\mpbw.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\glgwwx\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\glgwwx\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49DEDC8E-71A8-4344-360E-FA865B87FF9C} - C:\DOCUME~1\BRIAN\APPLIC~1\SETTIN~1\window wipe.exe (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5E1BB96F-05F6-0E27-8178-0E12E236B1B6} - C:\WINDOWS\system32\mpbw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cdrom New 64 32] C:\Documents and Settings\All Users\Application Data\Dentpilecdromnew\Body Mags.exe
O4 - HKLM\..\Run: [{70697AAE-063C-1033-0728-060329060001}] "C:\Program Files\Common Files\{70697AAE-063C-1033-0728-060329060001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 7\LaunchList.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [My Global Search Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [fzmz] C:\PROGRA~1\COMMON~1\fzmz\fzmzm.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\YSTEM3~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [Sowkcnfp] C:\Documents and Settings\BRIAN\My Documents\s?stem\e?plorer.exe
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167533221701
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



and the uninstall list from hijackthis


Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
Ares 1.9.9
Artisan DVD/DivX Player
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Broadcom Management Programs
Conexant HDA D110 MDC V.92 Modem
Cool Edit Pro 2.0
Corel Photo Album 6
Creative WebCam Center
Creative WebCam Instant Driver (1.01.02.0729)
Creative WebCam Instant User's Guide (English)
Dell Digital Jukebox Driver
Dell Support 3.1
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Diner Dash
DivX
Documentation & Support Launcher
DVD6
EarthLink setup files
EducateU
ELIcon
ESPNMotion
Games, Music, & Photos Launcher
GemMaster Mystic
Get High Speed Internet!
Get Yahoo! Messenger
Google Desktop
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Internet Service Offers Launcher
Java™ SE Development Kit 6
Java™ SE Runtime Environment 6
L&H TTS3000 Nederlands
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
LiveUpdate 2.6 (Symantec Corporation)
Messenger Plus! 3 & Sponsor
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Modem Helper
MP3 WAV Converter 2.68
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
NetWaiting
NetZeroInstallers
Outerinfo
Outerinfo
Pinnacle Systems PCI Performance Enhancer
Power Tab Editor 1.7
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer
SearchAssist
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Synaptics Pointing Device Driver
TargetSaver
Toyota Yaris Screen Saver
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
WinTasks Trial
XviD 1.1 final uninstall
ZoneAlarm
Zune Desktop Theme

thank you very much
I removed the global search bar, whenever the computer starts up it asks me to install a "yoursite bar"

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 AM

Posted 10 January 2007 - 10:49 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
You need to update your Sun Java Console. Your log still shows an older version installed. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #2
Go to Start > Run. In the Run: field type appwiz.cpl and press the OK button. Uninstall the following programs (if they are listed):
Outerinfo
SearchAssist
TargetSaver


You have Messenger Plus! installed on your computer. This software is known to install spyware when you install it. We need to remove this spyware first. Remove Messenger Plus! 3 & Sponsor from the Add/Remove Programs list as well to get rid of it. If you still want to use the program you can reinstall Messenger Plus! if you want, but make sure you install it without the sponsors. You can select the option for installing Messenger Plus! without sponsors during the setup process.

NOTE: Remember that these programs may require you to reboot your computer to complete the uninstallation - just let them.

I see Viewpoint installed. Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This will change from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint.
I suggest to remove this program. If you agree, go to Start > Control Panel > Add/Remove Programs and remove Viewpoint Media Player if present.

I see you are also using WildTangent. It is not malware, but is sometimes thought to bring malware along. WildTangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although the program is not technically considered spyware it does have built in components to update itself and gather system configuration information. Besides that, it is a MAJOR resource hog.
Unless you are an extremely avid games player, I suggest to remove this program. If you agree, go to Start > Control Panel > Add/Remove Programs and remove WildTangent Web Driver if present.

I also strongly recommend you to uninstall Ares 1.9.9, although that choice is yours. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection.
If you do not want to uninstall the program, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #3
Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update and configure the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5.

Now reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware.
8. Reboot your computer to boot back into normal mode.

Please post the entire contents of the saved text file in your next reply.

Step #4
Please download Combofix and save it to your Desktop.
Download combofix.exe

Once downloaded, double-click combofix.exe and follow the on-screen prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

NOTE: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall!

Step #5
Please download Hoster and save it to your Desktop.
Download hoster.zip

Once downloaded, unzip hoster.zip and launch Hoster.exe.
Now please perform these instructions:
1. Click once on the button labelled "Restore Microsoft's Hosts File".
2. A confirmation window will pop up. Click OK.
3. Close Hoster.

Step #6
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 bp2927

bp2927
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 10 January 2007 - 09:26 PM

OK cool, so the first one is AVG report, then COMBOFIX and HIJACKTHIS at the end.



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:36:18 PM 1/10/2007

+ Scan result:



HKU\S-1-5-21-3138114910-3218520500-2324774748-1006\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\BRIAN\Desktop\install.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{30697AAE-063C-1033-0728-060329060001}\Bar888.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc3.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\tc.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\BRIAN\Local Settings\Temp\b122.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{70697AAE-063C-1033-0728-060329060001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{70697AAE-063C-1033-0728-060329060001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc2\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc2\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc5\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3138114910-3218520500-2324774748-1006\Dc5\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fzmz\fzmzd\fzmzc.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
HKU\S-1-5-21-3138114910-3218520500-2324774748-1006\Software\ToolBar -> Adware.WebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3138114910-3218520500-2324774748-1006\Software\ToolBar\all -> Adware.WebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3138114910-3218520500-2324774748-1006\Software\ToolBar\all\History -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Documents and Settings\BRIAN\Local Settings\Temp\isinst.exe -> Downloader.IstBar.pn : Cleaned with backup (quarantined).
C:\Documents and Settings\BRIAN\Local Settings\Temporary Internet Files\Content.IE5\QE24MS2F\istdownload[1].exe -> Downloader.IstBar.pn : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fzmz\fzmzp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fzmz\fzmzd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\Documents and Settings\BRIAN\Local Settings\Temp\b103.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fzmz\fzmzl.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
C:\Documents and Settings\BRIAN\Cookies\brian@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@tcompany.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@thumbplay.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@rotator.dex.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@thunderbolt.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@CA7OGGYH.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@track.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@vip2.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@sales.liveperson[5].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@ads-205.quarterserver[1].txt -> TrackingCookie.Quarterserver : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@www.res99[2].txt -> TrackingCookie.Res99 : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@xmltest.res99[1].txt -> TrackingCookie.Res99 : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\BRIAN\Local Settings\Temp\Cookies\brian@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\BRIAN\Cookies\brian@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\wnsapicc.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



THE COMBOFIX REPORT----------



BRIAN - 07-01-10 18:57:10.92 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\BRIAN\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{30697AAE-063C-1033-0728-060329060001}
C:\Program Files\Common Files\{70697AAE-063C-1033-0728-060329060001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\BRIAN\My Documents\SSTEM~1
C:\QooBox\Purity\Program Files\YSTEM3~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-10 to 2007-01-10 ))))))))))))))))))))))))))))))))))


2007-01-10 18:54 92,485 --a------ C:\tc.exe
2007-01-10 18:54 <DIR> d-------- C:\Program Files\Common Files\{30697~1
2007-01-10 18:47 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-01-10 17:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-10 17:10 <DIR> d-------- C:\Program Files\Grisoft
2007-01-09 20:53 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-01-09 20:53 <DIR> d-------- C:\Documents and Settings\BRIAN\Application Data\SiteAdvisor
2007-01-09 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-01-09 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-01-09 18:33 183,965 --a------ C:\utc.exe
2007-01-09 13:54 123,503 --a------ C:\tysb.exe
2007-01-09 13:27 <DIR> d-------- C:\Program Files\HijackThis
2007-01-09 13:14 318 --a------ C:\delete.bat
2007-01-09 12:58 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-07 21:51 331,264 --a------ C:\WINDOWS\IsUn0407.exe
2007-01-07 21:45 14,235 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys
2007-01-07 21:41 <DIR> d-------- C:\Program Files\Pinnacle
2007-01-07 21:38 <DIR> d-------- C:\Temp
2007-01-07 10:06 <DIR> d-------- C:\WINDOWS\fzmz
2007-01-07 10:06 <DIR> d-------- C:\Program Files\Common Files\fzmz
2007-01-07 09:35 <DIR> d-------- C:\Program Files\Ipwindows
2007-01-03 02:12 <DIR> d-------- C:\NoLopBackups
2007-01-03 01:50 <DIR> d-------- C:\Program Files\LIUtilities
2007-01-03 01:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-03 01:49 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-01-03 00:11 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-01-03 00:11 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-01-03 00:11 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-01-03 00:11 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-01-03 00:11 <DIR> d-------- C:\Documents and Settings\BRIAN\Application Data\Syntrillium
2007-01-03 00:09 <DIR> d-------- C:\Program Files\coolpro2
2007-01-03 00:08 <DIR> d-------- C:\Cool Edit Pro 2.0 With Add Ons
2006-12-30 23:02 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-12-30 19:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-30 19:57 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-30 19:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-30 18:44 <DIR> d--hs---- C:\WINDOWS\system32\glgwwx
2006-12-25 22:25 <DIR> d-------- C:\Documents and Settings\BRIAN\Application Data\Sonic
2006-12-25 22:24 <DIR> d-------- C:\Documents and Settings\BRIAN\Application Data\Leadertech


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-10 18:58 -------- d-------- C:\Program Files\Common Files
2007-01-10 18:54 -------- d-------- C:\Program Files\Common Files\{30697~1
2007-01-10 18:44 -------- d-------- C:\Program Files\ArtisanDVDPlayer
2007-01-10 17:00 -------- d-------- C:\Program Files\Java
2007-01-10 15:30 -------- d-------- C:\Documents and Settings\BRIAN\Application Data\AdobeUM
2007-01-10 15:27 -------- d-------- C:\Documents and Settings\BRIAN\Application Data\Adobe
2007-01-10 14:55 -------- d-------- C:\Program Files\GemMaster
2007-01-10 14:52 -------- d-------- C:\Program Files\DivX
2007-01-10 14:52 -------- d-------- C:\Program Files\Creative
2007-01-10 14:48 -------- d-------- C:\Program Files\Common Files\AOL
2007-01-10 14:28 -------- d-------- C:\Program Files\WildTangent
2007-01-05 01:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-13 09:03 -------- d-------- C:\Program Files\Outlook Express
2006-12-13 09:03 -------- d-------- C:\Program Files\Common Files\System
2006-12-10 16:22 251 --a------ C:\Program Files\wt3d.ini
2006-12-09 23:06 196 --a------ C:\Documents and Settings\BRIAN\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2006-12-04 09:38 -------- d-------- C:\Documents and Settings\BRIAN\Application Data\Google
2006-12-04 09:37 -------- d-------- C:\Program Files\Google
2006-11-28 07:59 -------- d-------- C:\Program Files\EA GAMES
2006-11-28 07:53 1040 --a------ C:\Documents and Settings\BRIAN\Application Data\.googlewebacchosts
2006-11-28 07:53 -------- d-------- C:\Program Files\Musicnotes
2006-11-28 07:52 -------- d-------- C:\Program Files\InterVideo
2006-11-28 07:51 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-11-28 07:48 -------- d-------- C:\Program Files\eMule
2006-11-28 07:46 -------- d-------- C:\Program Files\TechSmith
2006-11-27 15:10 -------- d-------- C:\Program Files\MTV Networks
2006-11-22 09:29 -------- d---s---- C:\Documents and Settings\BRIAN\Application Data\Microsoft
2006-11-20 23:32 -------- d-------- C:\Program Files\WinRAR
2006-11-20 10:55 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-16 12:55 88 -r-hs---- C:\WINDOWS\system32\8856D449FB.sys
2006-11-16 12:55 3766 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-15 22:03 -------- d-------- C:\Program Files\Windows Media Player
2006-11-15 22:03 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-11-10 21:23 -------- d-------- C:\Program Files\LitexMedia
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\system32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --a------ C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992 --a------ C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 13:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 13:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 13:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 13:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 13:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 13:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 05:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 05:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ModemOnHold"="C:\\Program Files\\NetWaiting\\netWaiting.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SPSTEALT"="\"C:\\Program Files\\Free History Eraser\\HistoryEraser.exe\" /stealt"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"winlogon"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
@=""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"Creative WebCam Tray"="C:\\Program Files\\Creative\\Shared Files\\CAMTRAY.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Cdrom New 64 32"="C:\\Documents and Settings\\All Users\\Application Data\\Dentpilecdromnew\\Body Mags.exe"
"winlogon"=""
"PCLEPCI"="C:\\PROGRA~1\\Pinnacle\\PPE\\ppe.exe"
"LaunchList"="C:\\Program Files\\Pinnacle\\Studio 7\\LaunchList.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\5020\\SiteAdv.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-10 18:58:32.48
C:\ComboFix.txt ... 07-01-10 18:58
C:\ComboFix2.txt ... 07-01-10 18:48
C:\ComboFix3.txt ... 07-01-10 18:45


COMBOFIX END------------------



Logfile of HijackThis v1.99.1
Scan saved at 7:11:32 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060905
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060905
F3 - REG:win.ini: load=C:\WINDOWS\system32\glgwwx\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\glgwwx\winlogon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O2 - BHO: (no name) - {49DEDC8E-71A8-4344-360E-FA865B87FF9C} - C:\DOCUME~1\BRIAN\APPLIC~1\SETTIN~1\window wipe.exe (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30697~1\Bar888.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30697~1\Bar888.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cdrom New 64 32] C:\Documents and Settings\All Users\Application Data\Dentpilecdromnew\Body Mags.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 7\LaunchList.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [{70697AAE-063C-1033-0728-060329060001}] "C:\Program Files\Common Files\{70697AAE-063C-1033-0728-060329060001}\Update.exe" te-110-12-0000282
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167533221701
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 AM

Posted 11 January 2007 - 01:00 PM

After a more in-depth look at your log I spotted a pretty nasty piece of malware that is installed on your computer: a backdoor. In short, this piece of malware allows hackers to remotely control your computer, steal critical system information and download and execute files.

IMPORTANT
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. To protect your information that may have been compromised, I reccomend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.


Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and reinstall of the OS. This is something I don't like to recommend normally, but it is the best solution for your safety. For more information, please read this reference very carefully: When should I re-format? How should I reinstall?.
If you choose to format and reinstall, see this link for instructions: Reformat Hard Drive FAQ for Windows 95/98/Me/XP.

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you disinfect your PC, but you must understand that once a machine has been taken over by this type of malware, it can never be declared clean.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.
Below are some more links that could help you decide what to do.

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 bp2927

bp2927
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 11 January 2007 - 07:21 PM

Alright, thanks a lot but I decided to purge everything and restore it back to factory condition.

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 AM

Posted 12 January 2007 - 10:23 AM

OK. :thumbsup: Good decision. A reformat and reinstall of the OS is the best solution for your safety. It is a good thing, though, to click on this tutorial and follow each step listed to prevent infection in the future:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Do not forget to tell your friends about us.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 AM

Posted 17 January 2007 - 12:26 PM

As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users