Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Is Going On Here


  • Please log in to reply
33 replies to this topic

#1 simALITY

simALITY

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 09:46 AM

I've been working with fozzie over on the "Am I Infected..." forum, but I can tell he's pretty closed to stumped. So I'm hoping that someone can help me over here.

To recap, I've been getting these fake 404 File Not Found error messages for a couple of weeks now. I say they are fake because they are made to appear as if Google is sending them, but the logo is wrong, and besides---I KNOW the page is there. I was also unable to use Firefox (2.0) for a time because of some proxy error message. We (fozzie and I) discovered that FF had been set to use a proxy, but I know I didn't tell it to do that.

For more details, see the "Multiple Issues with My Desktop" thread over on the "Am I infected...?" forum.

Logfile of HijackThis v1.99.1
Scan saved at 9:35:37 AM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www3.ratemyprofessors.com/master/toolbox.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1035
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\system32\adsubtb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171028648023
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 February 2007 - 10:07 AM

Welcome wannabeanerd :thumbsup:

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

*****************************

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open. Look at the bottom of the window. To the right of Attributes, check the box that says Read-only.
4) Click Apply/OK.

****************************

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

****************************

Download 'e Scan MWAV' from here to your desktop:
http://www.mwti.net/download/tools/mwav.exe
Disconnect from the internet,close all running programs.
Double click on the mwav icon on your desktop.
The program will start,the Licence Agreement will pop up.
Select 'I accept the agreement',then press Ok.
The program will open,leave all the settings as they are.
Now press the 'Scan & Clean' button.
The program will now start scanning your pc.
Once the scan has finished,post the results from the lower window 'Virus Log Information'.

Reboot,post the Counterspy report,the e Scan MWAV results,and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#3 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 10:38 AM

Hi Rick, Thanks for replying so quickly!
Question: I just installed CleanUp!, and its asking me if I want to run it in demo mode. Do I say 'yes' or 'no'.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 February 2007 - 11:04 AM

Ok,uninstall CleanUp,run this instead please:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.
Posted Image
Posted Image

#5 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 12:09 PM

I'm running CounterSpy as we speak, and I see that it has detected Messenger Plus. This is a program I'm not willing to remove. I know that it comes bundled with adware, but I've never downloaded the sponser program, and I consider Messenger Plus to be vital to my job. I've used it for over a year, I have it installed on my laptop (which is running fine, thank you). If you can give me a really reason to remove it (and a method for converting all my chat logs into a text file), I don't that I'll be removing it.:-)

Edited by wannabeanerd, 27 February 2007 - 12:16 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 February 2007 - 12:42 PM

If you did'nt install the sponsor then indeed keep Messenger Plus :thumbsup:
Posted Image
Posted Image

#7 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 01:04 PM

Awesome. I love MessengerPlus.

Here is the CounterSpy log.

Scan History Details
Start Date: 2/27/2007 11:48:38 AM
End Date: 2/27/2007 12:13:13 PM
Total Time: 24 Min 35 Sec
Detected security risks

Messenger Plus! Adware Bundler more information...
Details: Messenger Plus! is a add-on for MSN Messenger. Messenger Plus! installs an OPTIONAL adware called C2Media which is also known as LOP.com.
Status: Ignored

Files detected
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\020802.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\Advent of Giant Enterprises.doc
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\carol010202.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\DemoSpeech2.doc
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\[REMOVED]@hotmail.com.html
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0640.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0644.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0663.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0687.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0713.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0738.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0769.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img0927.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\Images\MsgPlus_Img1072.png
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\[REMOVED]@hotmail.com.html
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\[REMOVED]@hotmail.com.html
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\February 2007\[REMOVED]@gmail.com.html
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\funny.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\091201.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\hex.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\jay.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\012600.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\04.09.2000jess.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\j010400.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\j102499.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\j121499.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\Jess3.20.00.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\Jess3.21.00.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\Jessica\KOZin.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\keys format.txt
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\IMs\susan51101.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\p100601.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\papertips.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\rules of war.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\s102601.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\S111701.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\wordlist2.doc
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\wordsearch1.art
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\wordsearch2.art
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\wordsearchwordlist.rtx
C:\DOCUMENTS AND SETTINGS\Owner\MY DOCUMENTS\MY CHAT LOGS\Write up 3.doc
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Detoured.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Events Style Sheet.xsl
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\lame_enc.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Arabic.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Catalan.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_ChineseSimplified.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_ChineseTraditional.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Danish.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Default.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Dutch.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Estonian.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Finnish.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_French.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_German.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Hungarian.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Italian.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Japanese.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Korean.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Norwegian.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Portuguese.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Spanish.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Swedish.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Languages\Lng_Thai.ini
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\libsndfile.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\Log Viewer.exe
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\MPScripts.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\MPTools.exe
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\MsgPlusLive.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\MsgPlusLive1.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\MsgPlusLiveRes.dll
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\MsgPlusLiveRes1.dll
F:\Downloads\MsgPlusLive-401.exe
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY CHAT LOGS
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY CHAT LOGS\FEBRUARY 2007
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY CHAT LOGS\FEBRUARY 2007\IMAGES
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY CHAT LOGS\IMS
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY CHAT LOGS\IMS\JESSICA
C:\PROGRAM FILES\MESSENGER PLUS! LIVE
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\INTERFACE
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\LANGUAGES
C:\PROGRAM FILES\MESSENGER PLUS! LIVE\SCRIPTS

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\.PLE
HKEY_LOCAL_MACHINE\Software\Classes\.PLE
HKEY_LOCAL_MACHINE\Software\Classes\.PLP
HKEY_LOCAL_MACHINE\Software\Classes\.PLP
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED\shell
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED\shell\open
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.ENCRYPTED\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK\shell
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK\shell\open
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\MSGPLUS.SOUNDPACK\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_LOCAL_MACHINE\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\DefaultSettings
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\DefaultSettings\Contacts
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\DefaultSettings\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\GlobalSettings
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\GlobalSettings\CustSounds
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\GlobalSettings\Scripts
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\AchKufZFXWwp
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\AchKufZFXWwp
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\AchKufZFXWwp
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\AchKufZFXWwp
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\BAhRWmwsvJHS
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\BAhRWmwsvJHS
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\BAhRWmwsvJHS
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\BAhRWmwsvJHS
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CowoczBGsxDN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CowoczBGsxDN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CowoczBGsxDN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CowoczBGsxDN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CvLCvOnNFTAu
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CvLCvOnNFTAu
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CvLCvOnNFTAu
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\CvLCvOnNFTAu
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\DVCuuhZUwrNN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\DVCuuhZUwrNN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\DVCuuhZUwrNN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\DVCuuhZUwrNN
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\FFYpCnMasgnH
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\FFYpCnMasgnH
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\FFYpCnMasgnH
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\FFYpCnMasgnH
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnLPDSzSbTWl
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnLPDSzSbTWl
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnLPDSzSbTWl
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnLPDSzSbTWl
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnTBOohUjXGz
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnTBOohUjXGz
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnTBOohUjXGz
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\GnTBOohUjXGz
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\IzKbNHIhIgbI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\IzKbNHIhIgbI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\IzKbNHIhIgbI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\IzKbNHIhIgbI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\KwaipYuogaim
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\KwaipYuogaim
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\KwaipYuogaim
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\KwaipYuogaim
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\LNYaaxDEhEfW
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\LNYaaxDEhEfW
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\LNYaaxDEhEfW
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MlMggqjHLBSi
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MlMggqjHLBSi
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MlMggqjHLBSi
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MlMggqjHLBSi
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MvBChIpXXTIk
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MvBChIpXXTIk
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MvBChIpXXTIk
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\MvBChIpXXTIk
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\OuuyitGzFNOc
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\OuuyitGzFNOc
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\OuuyitGzFNOc
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\OuuyitGzFNOc
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\RGjAjOrPTEqv
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\RGjAjOrPTEqv
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\RGjAjOrPTEqv
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\RGjAjOrPTEqv
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SklAlRRMfAij
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SklAlRRMfAij
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SklAlRRMfAij
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SklAlRRMfAij
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SmwhFVPVAavC
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SmwhFVPVAavC
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SmwhFVPVAavC
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SmwhFVPVAavC
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SujGcgdAqhNZ
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SujGcgdAqhNZ
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SujGcgdAqhNZ
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SujGcgdAqhNZ
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SvWnNJApYmxU
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SvWnNJApYmxU
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SvWnNJApYmxU
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\SvWnNJApYmxU
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\TVCinJElFBQs
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\TVCinJElFBQs
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\TVCinJElFBQs
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\TVCinJElFBQs
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\UqacbGvXBAdI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\UqacbGvXBAdI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\UqacbGvXBAdI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\UqacbGvXBAdI
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VAslQfEqzFGr
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VAslQfEqzFGr
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VAslQfEqzFGr
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VAslQfEqzFGr
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VUjUooinFBOo
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VUjUooinFBOo
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VUjUooinFBOo
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VUjUooinFBOo
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VXMcgdVFDMme
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VXMcgdVFDMme
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VXMcgdVFDMme
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\VXMcgdVFDMme
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WmcnFVCekmhP
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WmcnFVCekmhP
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WmcnFVCekmhP
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WmcnFVCekmhP
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WrWqucijIxLG
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WrWqucijIxLG
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WrWqucijIxLG
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\WrWqucijIxLG
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YdIfEevNZSwj
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YdIfEevNZSwj
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YdIfEevNZSwj
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YdIfEevNZSwj
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YfSrUmtMgopD
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YfSrUmtMgopD
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YfSrUmtMgopD
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Contacts\YfSrUmtMgopD
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\kat@ratemyprofessors.com\Preferences
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\LogViewer
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\LogViewer
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live\LogViewer
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
HKEY_USERS\S-1-5-21-682003330-764733703-1060284298-1003\SOFTWARE\PATCHOU\Messenger Plus! Live
END OF LOG

#8 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 01:10 PM

I kinda screwed up and didn't read your instructions all the way through, so instead of saving the text in the "lower window" I saved the entire logfile. Here's the summary...Tell me what other things you wanted, and I'll dig 'em out.

Tue Feb 27 12:24:44 2007 => ***** Scanning complete. *****

Tue Feb 27 12:24:44 2007 => Total Objects Scanned: 25354
Tue Feb 27 12:24:44 2007 => Total Critical Objects: 5
Tue Feb 27 12:24:44 2007 => Total Disinfected Objects: 0
Tue Feb 27 12:24:44 2007 => Total Objects Renamed: 0
Tue Feb 27 12:24:44 2007 => Total Deleted Objects: 60
Tue Feb 27 12:24:44 2007 => Total Errors: 56
Tue Feb 27 12:24:44 2007 => Time Elapsed: 00:03:18
Tue Feb 27 12:24:44 2007 => Virus Database Date: 2/27/2007
Tue Feb 27 12:24:44 2007 => Virus Database Count: 274146

Tue Feb 27 12:24:44 2007 => Scan Completed.



Logfile of HijackThis v1.99.1
Scan saved at 12:48:32 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www3.ratemyprofessors.com/master/toolbox.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1035
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\system32\adsubtb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171028648023
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 01:12 PM

Something you might find interesting: When I booted my computer back up, AVG AntiSpyware told me that something had tried to change my homepage to: "about:blank"

Last but not least...I have no idea what that R1 is. There is nothing like it in my laptop's HJT logs. I'm pretty sure it shouldn't be there.

Edited by wannabeanerd, 27 February 2007 - 01:16 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 February 2007 - 01:21 PM

Well if you're absolutely sure you don't use a proxyserver setup then have Hijackthis fix:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1035
Reboot,let me know how your pc is running now please.
Posted Image
Posted Image

#11 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 27 February 2007 - 08:35 PM

The proxy thing reappeared after the machine rebooted. I'm still getting the fake 404 Google pages as well.

Kat


Logfile of HijackThis v1.99.1
Scan saved at 8:43:23 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www3.ratemyprofessors.com/master/toolbox.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1030
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\system32\adsubtb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171028648023
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by wannabeanerd, 27 February 2007 - 08:48 PM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 28 February 2007 - 08:00 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www3.ratemyprofessors.com/master/toolbox.jsp
Exit Hijackthis.

*******************************

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

*******************************

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open. Look at the bottom of the window. To the right of Attributes, check the box that says Read-only.
4) Click Apply/OK.

*******************************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste:
NETSH WINSOCK RESET
Then press Enter,restart your pc.

*******************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*******************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Post the DrWeb.cvs report,the SmitfraudFix report, and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#13 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 28 February 2007 - 11:24 PM

Here is the Smitfraud scan. More results as they come available.



SmitFraudFix v2.145

Scan done at 23:18:42.70, Wed 02/28/2007
Run from C:\Documents and Settings\Owner\My Documents\My Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End

--------------------------------------------------------------------------------


Smitfraud

RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\Documents and Settings\Owner\My Documents\My Downloads\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Owner\My Documents\My Downloads\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;



--------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 2:23:12 AM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1041
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\system32\adsubtb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171028648023
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by wannabeanerd, 01 March 2007 - 02:27 AM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 01 March 2007 - 04:45 AM

Whats your pc running like now please.
Posted Image
Posted Image

#15 simALITY

simALITY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:36 PM

Posted 02 March 2007 - 10:14 PM

Whats your pc running like now please.


Yesterday the machine ran fine. The same went for today, right up until 20 minutes ago. Now its sluggish, and I'm getting the google error messages again.

Whats your pc running like now please.


Yesterday the machine ran fine. The same went for today, right up until 20 minutes ago. Now its sluggish, and I'm getting the google error messages again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users