Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cws.msconfig & Chinese In Msconfig


  • Please log in to reply
22 replies to this topic

#1 skinsfan732

skinsfan732

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 01 May 2007 - 01:36 AM

I'm running vista. I ran adaware, spybot, and mcafee. They all come back clean. The only app that found anything was cwshredder. It found cws.msconfig. The main problem is that I have a random msconfig-->startup item that is in Chinese. I can't figure out what it is or how to remove. Any help would be greatly appreciated. Here's my log.

Logfile of HijackThis v1.99.1
Scan saved at 2:21:03 AM, on 5/1/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\msconfig.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Hijackthis 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:43 PM

Posted 06 May 2007 - 06:04 AM

Hi skinsfan732, :flowers:

If you still need help please post a new HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

#3 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 06 May 2007 - 06:19 PM

Falu,
Thanks so much for looking into this. I have a random item in msconfig that is in chinese. Windows Defender also keeps blocking a startup item I don't see on the list called "system configuration utility" When i right click on the app, it doesn't show it as being the signed by Microsoft. I was thinking it wasn't the same one used by windows. When I permit it, my system crashes. IE also keeps not responding for no real reason. I ran adaware, spybot, ewido, and mcafee with no results other than tracking cookies. Cwshredder finds cw.msconfig. When I look at the hijack this log, I see several things that stand out to me. yahoo search keys, O13 - Gopher Prefix:, and the ???????? entry. Any ideas, I'm running Vista (not by choice) Came preloaded on my new sys. :thumbsup: See attached screen shot for msconfig entry in question. Thanks again for looking at it!!

Logfile of HijackThis v1.99.1
Scan saved at 7:05:22 PM, on 5/6/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Hijackthis 1.99\HijackThis.exe
C:\Windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BounceBack Setup] "C:\Program Files\CMS Peripherals\BounceBack Express\AppLaunch.exe" /Launchit
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: LMIinit - C:\Windows\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\VistaSrv.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Attached Files



#4 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 06 May 2007 - 06:29 PM

Falu- One more thing, I'm using http://www.logmein.com for remote desktop connections. Those entries are legit. Thanks

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:43 PM

Posted 09 May 2007 - 03:09 AM

Hi skinsfan732, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. To begin with could you explain if you have any complaints about the functioning of your computer?

2.

Windows Defender also keeps blocking a startup item I don't see on the list called "system configuration utility" When i right click on the app, it doesn't show it as being the signed by Microsoft. I was thinking it wasn't the same one used by windows. When I permit it, my system crashes. IE also keeps not responding for no real reason.


Any error messages? If so report them here as specific as possible.

3. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

You may re-enable it again when your computer is clean; I will let you know!

4. Download, install, and update AVG Anti-Spyware 7.5

1. Save the installer to desktop
2. Double click the installer, select your language, and then select OK
3. Click NEXT>>Do or don't read the "User License Agreement"
Select I Agree>>>NEXT>>>INSTALL
4. AVG will now install and afterwards click FINISH
5. AVG Anti-Spyware 7.5 should now Load
6. Click the Update tab at the top. Under Manual Update click Start update.
7. After the update finishes (the status bar at the bottom will display "Update successful")
8. Close AVG Anti-Spyware 7.5. Do not run it yet.

5. Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account.

6. Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
7. Reboot to go back into Normal mode.

8. Download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

9. Double-click on My Computer and locate the file C:\Windows\system32\ActiveToolBand.dll. Right-click on it and choose "Properties". In General you will find the file size. Then click on the "Version" tab and let me know which Company name is listed.

Please post combofix.txt together with the AVG report, a fresh HijackThis log and the answers to my questions.

#6 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 12 May 2007 - 06:17 PM

1. To begin with could you explain if you have any complaints about the functioning of your computer?
Answer: Yes, IE stops responding randomly. Also increase in pop-ups, and strange search results.

2. Any error messages? If so report them here as specific as possible.
Answer: I dug through the event logs and couldn't find the one when config sys utility is enabled. It was a security object error and a permissions error. After restarting and not allowing app to run, issue goes away. Per your request, here are a couple other error messages I'm experiencing. See event #3. That's the reference to the chinese item in msconfig. Mcafee sometimes is disabled and I don't have rights to turn it back on. I have to restart several times to get the issue to go away.

Log Name: System
Source: Microsoft-Windows-Windows Defender
Date: 5/4/2007 3:45:31 AM
Event ID: 3004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: PDB-Vista
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {05681116-2754-451D-9BD1-A56443FCDBA6}
User: PDB-Vista\Paul
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: runkey:HKCU@S-1-5-21-3456077275-272129072-1536745108-1000\Software\Microsoft\Windows\CurrentVersion\Run\\捁牥吠畯⁲敒業摮牥
Alert Type: Unclassified software
Detection Type:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" EventSourceName="WinDefend" />
<EventID Qualifiers="0">3004</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-05-04T07:45:31.000Z" />
<EventRecordID>6223</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>PDB-Vista</Computer>
<Security />
</System>
<EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">1.1.1505.0</Data>
<Data Name="Scan ID">{05681116-2754-451D-9BD1-A56443FCDBA6}</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Domain">PDB-Vista</Data>
<Data Name="User">Paul</Data>
<Data Name="SID">S-1-5-21-3456077275-272129072-1536745108-1000</Data>
<Data Name="Threat Name">Unknown</Data>
<Data Name="Threat Id">
</Data>
<Data Name="Threat Severity">
</Data>
<Data Name="Threat Category">
</Data>
<Data Name="FWLink">%%832</Data>
<Data Name="Path Found">runkey:HKCU@S-1-5-21-3456077275-272129072-1536745108-1000\Software\Microsoft\Windows\CurrentVersion\Run\\捁牥吠畯⁲敒業摮牥</Data>
<Data Name="Threat Classification Index">0</Data>
<Data Name="Threat Classification">%%807</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Detection Type Index">
</Data>
<Data Name="Detection Type">
</Data>
</EventData>
</Event>

Log Name: System
Source: Microsoft-Windows-Windows Defender
Date: 5/4/2007 3:45:34 AM
Event ID: 3004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: PDB-Vista
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {F6AF4BAC-A45F-4878-BC8B-65F2394C4B80}
User: PDB-Vista\Paul
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: regkey:HKCU@S-1-5-21-3456077275-272129072-1536745108-1000\Software\Microsoft\Windows\CurrentVersion\Run\\igndlm.exe;runkey:HKCU@S-1-5-21-3456077275-272129072-1536745108-1000\Software\Microsoft\Windows\CurrentVersion\Run\\igndlm.exe;file:C:\Program Files\Download Manager\DLM.exe
Alert Type: Unclassified software
Detection Type:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" EventSourceName="WinDefend" />
<EventID Qualifiers="0">3004</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-05-04T07:45:34.000Z" />
<EventRecordID>6230</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>PDB-Vista</Computer>
<Security />
</System>
<EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">1.1.1505.0</Data>
<Data Name="Scan ID">{F6AF4BAC-A45F-4878-BC8B-65F2394C4B80}</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Domain">PDB-Vista</Data>
<Data Name="User">Paul</Data>
<Data Name="SID">S-1-5-21-3456077275-272129072-1536745108-1000</Data>
<Data Name="Threat Name">Unknown</Data>
<Data Name="Threat Id">
</Data>
<Data Name="Threat Severity">
</Data>
<Data Name="Threat Category">
</Data>
<Data Name="FWLink">%%832</Data>
<Data Name="Path Found">regkey:HKCU@S-1-5-21-3456077275-272129072-1536745108-1000\Software\Microsoft\Windows\CurrentVersion\Run\\igndlm.exe;runkey:HKCU@S-1-5-21-3456077275-272129072-1536745108-1000\Software\Microsoft\Windows\CurrentVersion\Run\\igndlm.exe;file:C:\Program Files\Download Manager\DLM.exe</Data>
<Data Name="Threat Classification Index">0</Data>
<Data Name="Threat Classification">%%807</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Detection Type Index">
</Data>
<Data Name="Detection Type">
</Data>
</EventData>
</Event>



Log Name: System
Source: Service Control Manager
Date: 5/4/2007 6:36:50 PM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PDB-Vista
Description:
The McAfee McShield service failed to start due to the following error:
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-05-04T22:36:50.000Z" />
<EventRecordID>6300</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>PDB-Vista</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">McAfee McShield</Data>
<Data Name="param2">%%5</Data>
</EventData>
</Event>


Log Name: System
Source: Service Control Manager
Date: 5/4/2007 6:36:50 PM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PDB-Vista
Description:
The McAfee Framework Service service failed to start due to the following error:
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-05-04T22:36:50.000Z" />
<EventRecordID>6298</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>PDB-Vista</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">McAfee Framework Service</Data>
<Data Name="param2">%%5</Data>
</EventData>
</Event>
____________________________________________________________________

4. Download, install, and update AVG Anti-Spyware 7.5
Answer: I don't think this is compatible with Vista. I downloaded it, and stops responding each time I attempt to launch the application. I tried uninstalling and reinstalling and got the same outcome. See error below.
Faulting application avgas.exe, version 7.5.0.50, time stamp 0x45279b6c, faulting module SHUNIMPL.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000142, fault offset 0x00008fc7, process id 0x127c, application start time 0x01c794dc62247970.
Log Name: Application
Source: Application Error
Date: 5/12/2007 12:48:29 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: PDB-Vista
Description:
Faulting application avgas.exe, version 7.5.0.50, time stamp 0x45279b6c, faulting module SHUNIMPL.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000142, fault offset 0x00008fc7, process id 0xb88, application start time 0x01c794b54ddf4610.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-05-12T16:48:29.000Z" />
<EventRecordID>4014</EventRecordID>
<Channel>Application</Channel>
<Computer>PDB-Vista</Computer>
<Security />
</System>
<EventData>
<Data>avgas.exe</Data>
<Data>7.5.0.50</Data>
<Data>45279b6c</Data>
<Data>SHUNIMPL.dll</Data>
<Data>6.0.6000.16386</Data>
<Data>4549bdc9</Data>
<Data>c0000142</Data>
<Data>00008fc7</Data>
<Data>b88</Data>
<Data>01c794b54ddf4610</Data>
</EventData>
</Event>

5.8. Download Combofix to your desktop.
Answer: The link you sent me to this application was bad. I got this error when attempting to go to the URL associated with the hyperlink:
http://download.bleepingcomputer.com/sUBs/combofix.exe

404 Not Found
The requested URL '/sUBs/combofix.exe' was not found on this server.

thttpd

I was able to find the same app and download it from the url below but got a message indicating the application wasn't compatible with Vista. Combofix only works with Win2000 and XP.
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Here's a new log per your last request. Any advise for the problems with your directions from above?
From the event log above, isn't dlm.exe either Trojan Lamedon-D or Dialer33? Not sure why Mcafee isn't picking it up. I have the latest dats. Thanks for looking at this.


Logfile of HijackThis v1.99.1
Scan saved at 6:49:09 PM, on 5/12/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Hijackthis 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BounceBack Setup] "C:\Program Files\CMS Peripherals\BounceBack Express\AppLaunch.exe" /Launchit
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: LMIinit - C:\Windows\SYSTEM32\LMIinit.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

#7 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 12 May 2007 - 06:33 PM

Sorry forgot to respond to the last question. Here you go.

9. Double-click on My Computer and locate the file C:\Windows\system32\ActiveToolBand.dll. Right-click on it and choose "Properties". In General you will find the file size. Then click on the "Version" tab and let me know which Company name is listed.

The company name is: HiTRUST V 3.0.0.2

Thanks

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:43 PM

Posted 13 May 2007 - 11:47 AM

Hi skinsfan732, :thumbsup:

It's clear I still have to get used to Vista, sorry.

From the event log above, isn't dlm.exe either Trojan Lamedon-D or Dialer33? Not sure why Mcafee isn't picking it up. I have the latest dats. Thanks for looking at this.


I think it belongs to IGN Entertainment Download Manager and is legitimate.

1. Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
2. Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.

Please post the DrWeb.csv together with the DSS report and a fresh HijackThis log.

#9 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 14 May 2007 - 03:21 AM

1- After following the directions in step 1, DrWeb give me the option to save a log. The scan results found nothing. File-->save report list was disabled.
2-Here's my DSS Reports. Both main.txt and extra.txt.
3- Below that is my new hijack log per your request.

Thanks again.



Deckard's System Scanner v20070426.43
Run by Paul on 2007-05-14 at 03:48:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Paul.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:49:19 AM, on 5/14/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Windows\System32\SysMonitor.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Users\Paul\Desktop\dss.exe
C:\HIJACK~1.99\Paul.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BounceBack Setup] "C:\Program Files\CMS Peripherals\BounceBack Express\AppLaunch.exe" /Launchit
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll (file missing)
O20 - Winlogon Notify: LMIinit - C:\Windows\SYSTEM32\LMIinit.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)


-- HijackThis Fixed Entries (C:\HIJACK~1.99\backups\) --------------------------

backup-20070429-221440-768 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PSDFilter - c:\windows\system32\drivers\psdfilter.sys <Not Verified; HiTRUST; >
R0 PSDNServ (PSDNSERVER) - c:\windows\system32\drivers\psdnserv.sys <Not Verified; HiTRUST; >
R0 psdvdisk - c:\windows\system32\drivers\psdvdisk.sys <Not Verified; HiTRUST; >
R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcerMemUsageCheckService (ePerformance Service) - c:\acer\empowering technology\eperformance\memcheck.exe <Not Verified; ; MemCheck.Service>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-05-14 03:45:00 420 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{26C7D4E9-E5F7-4EA5-84B5-6687EA583F34}.job


-- Files created between 2007-04-14 and 2007-05-14 -----------------------------

2007-05-14 03:41:42 0 dr------- C:\Users\Thomas\Searches
2007-05-14 03:41:28 0 dr------- C:\Users\Thomas\Contacts
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\Templates
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\Start Menu
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\SendTo
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\Recent
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\PrintHood
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\NetHood
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\My Documents
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\Local Settings
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\Cookies
2007-05-14 03:41:21 0 d--hs---- C:\Users\Thomas\Application Data
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Videos
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Saved Games
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Pictures
2007-05-14 03:41:19 524288 --ahs---- C:\Users\Thomas\NTUSER.DAT
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Music
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Links
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Favorites
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Downloads <DOWNLO~1>
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Documents
2007-05-14 03:41:19 0 dr------- C:\Users\Thomas\Desktop
2007-05-14 03:41:19 0 d--h----- C:\Users\Thomas\AppData
2007-05-14 03:05:33 0 dr------- C:\Users\GOD\Searches
2007-05-14 03:05:20 0 dr------- C:\Users\GOD\Contacts
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\Templates
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\Start Menu
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\SendTo
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\Recent
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\PrintHood
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\NetHood
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\My Documents
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\Local Settings
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\Cookies
2007-05-14 03:04:12 0 d--hs---- C:\Users\GOD\Application Data
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Videos
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Saved Games
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Pictures
2007-05-14 03:04:10 786432 --ahs---- C:\Users\GOD\NTUSER.DAT
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Music
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Links
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Favorites
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Downloads <DOWNLO~1>
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Documents
2007-05-14 03:04:10 0 dr------- C:\Users\GOD\Desktop
2007-05-14 03:04:10 0 d--h----- C:\Users\GOD\AppData
2007-05-13 22:09:07 0 d-------- C:\Users\Paul\DoctorWeb
2007-05-12 17:19:49 0 d-------- C:\Users\Paul\ComboFixT
2007-05-09 00:26:39 0 d-------- C:\Alien Arena 2007
2007-05-08 20:48:51 0 d-------- C:\Program Files\Webzen
2007-05-08 18:16:19 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 01:00:32 0 d-------- C:\Program Files\CCleaner
2007-05-06 22:57:10 0 d-------- C:\Program Files\Microsoft Silverlight
2007-05-05 00:30:40 36864 -----n--- C:\Windows\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2007-05-04 18:46:26 0 d-------- C:\Program Files\Stardock
2007-05-04 18:39:34 0 d-------- C:\Program Files\LogMeIn
2007-05-04 03:17:03 0 d-------- C:\Program Files\Scorpio Software
2007-05-04 03:17:03 0 d-------- C:\Program Files\Common Files\scosoft.com
2007-05-04 00:46:55 0 d-------- C:\Program Files\Bazooka Scanner
2007-05-02 20:11:38 7102496 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2007-05-02 20:07:28 11264 --a------ C:\Windows\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-05-02 20:06:53 0 d-------- C:\Windows\system32\ZoneLabs
2007-05-02 20:06:52 0 d-------- C:\Users\All Users\CheckPoint
2007-05-02 14:04:23 524288 --a------ C:\Windows\system32\DivXsm.exe <Not Verified; DivX Inc.; DivX Inc. divxsm>
2007-05-02 14:04:19 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-05-02 14:04:06 1044480 --a------ C:\Windows\system32\libdivx.dll <Not Verified; The OpenSSL Project, http://www.openssl.org/; The OpenSSL Toolkit>
2007-05-02 14:04:05 200704 --a------ C:\Windows\system32\ssldivx.dll <Not Verified; The OpenSSL Project, http://www.openssl.org/; The OpenSSL Toolkit>
2007-05-02 14:02:06 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-05-02 14:02:06 73728 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-05-02 14:02:04 53248 --a------ C:\Windows\system32\dpuGUI10.dll <Not Verified; DivXNetworks; DivXNetworks dpuGUI10>
2007-05-02 14:02:02 57344 --a------ C:\Windows\system32\dpv11.dll <Not Verified; DivXNetworks; DivXNetworks dpv11>
2007-05-02 14:02:02 344064 --a------ C:\Windows\system32\dpus11.dll <Not Verified; DivXNetworks; DivXNetworks dpus11>
2007-05-02 14:02:02 593920 --a------ C:\Windows\system32\dpuGUI11.dll <Not Verified; DivXNetworks; DivXNetworks dpuGUI11>
2007-05-02 14:02:02 294912 --a------ C:\Windows\system32\dpu11.dll <Not Verified; DivXNetworks; DivXNetworks dpu11>
2007-05-02 14:02:02 294912 --a------ C:\Windows\system32\dpu10.dll <Not Verified; DivXNetworks; DivXNetworks dpu11>
2007-05-02 14:01:56 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-02 14:01:56 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-02 14:01:56 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-02 14:01:56 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-01 22:33:57 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2007-05-01 19:41:57 0 d-------- C:\!backup
2007-05-01 02:24:23 0 d-------- C:\Windows\Internet Logs
2007-04-29 22:55:11 0 d-------- C:\Users\All Users\BitDefender
2007-04-29 22:20:24 0 d-------- C:\Users\Paul\.housecall6.6
2007-04-29 14:04:05 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-04-29 13:32:01 0 d-------- C:\Hijackthis 1.99
2007-04-29 13:19:51 0 d-------- C:\Users\All Users\Adobe
2007-04-29 13:19:40 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-29 05:02:13 667914 --a------ C:\Windows\unins001.exe <Not Verified; ; Inno Setup>
2007-04-29 05:02:13 1326 --a------ C:\Windows\unins001.dat
2007-04-28 18:08:34 4682 --a------ C:\Windows\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-04-27 20:49:18 0 d-------- C:\Program Files\Wolfenstein - Enemy Territory
2007-04-27 20:47:37 17871 --a------ C:\Windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2007-04-27 20:47:37 167936 --a------ C:\Windows\system32\SpoonUninstall.exe
2007-04-27 20:47:23 0 d-------- C:\Program Files\Illustrate
2007-04-27 07:28:08 0 d-------- C:\Program Files\Softnyx
2007-04-26 20:51:50 0 d-------- C:\Program Files\Mario Forever
2007-04-26 01:00:04 0 d-------- C:\Program Files\WarRock
2007-04-25 19:33:03 0 d-------- C:\Users\All Users\DVD Shrink
2007-04-25 19:33:01 0 d-------- C:\Program Files\DVD Shrink
2007-04-22 20:20:05 0 d-------- C:\Windows\Sun
2007-04-19 01:38:49 41984 -----n--- C:\Windows\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-04-19 01:37:36 0 d-------- C:\Users\All Users\Creative
2007-04-19 01:36:08 0 d-------- C:\Program Files\Creative
2007-04-19 01:09:38 0 d-------- C:\Users\Paul\Incomplete <INCOMP~1>
2007-04-19 01:09:14 0 d-------- C:\Program Files\LimeWire
2007-04-19 01:08:23 0 d-------- C:\Users\Paul\.limewire
2007-04-18 01:24:20 0 d-------- C:\Windows\pss
2007-04-18 01:16:18 0 d-------- C:\Program Files\CMS Peripherals
2007-04-18 00:49:18 657 --a------ C:\Windows\unins000.dat
2007-04-18 00:03:19 0 d-------- C:\Program Files\LastChaosUSA
2007-04-17 23:16:56 0 d-------- C:\Program Files\THQ
2007-04-17 23:11:01 1933312 --a------ C:\Windows\system32\cdintf250.dll <Not Verified; Amyuni Technologies
2007-04-17 23:10:33 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2007-04-17 23:10:11 0 d-------- C:\Program Files\Common Files\Intuit
2007-04-17 23:10:06 0 d-------- C:\Program Files\Quicken
2007-04-17 23:09:56 0 d-------- C:\Users\All Users\Intuit
2007-04-17 23:08:15 0 d-------- C:\Program Files\Trillian
2007-04-17 23:07:52 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-04-17 23:06:34 0 d-------- C:\OpenOffice.org 2.2 Installation Files
2007-04-17 23:00:03 0 d-------- C:\Program Files\Common Files\xing shared
2007-04-17 22:59:35 0 d-------- C:\Program Files\iPod
2007-04-17 22:59:33 0 d-------- C:\Program Files\iTunes
2007-04-17 22:59:24 0 d-------- C:\Program Files\Common Files\Real
2007-04-17 22:59:23 0 d-------- C:\Program Files\Real
2007-04-17 22:58:12 0 d-------- C:\Program Files\QuickTime
2007-04-17 22:57:33 0 d-------- C:\Users\All Users\Apple Computer
2007-04-17 22:52:31 0 d-------- C:\Program Files\Java
2007-04-17 22:52:30 0 d-------- C:\Program Files\Common Files\Java
2007-04-17 20:52:29 0 d-------- C:\Windows\system32\Resource
2007-04-17 20:52:24 0 d-------- C:\Program Files\Citrix
2007-04-17 20:37:42 0 d-------- C:\Program Files\DivX
2007-04-17 20:27:12 0 d-------- C:\Program Files\Lavasoft
2007-04-17 20:26:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-17 20:23:37 0 d-------- C:\Program Files\Download Manager
2007-04-17 19:09:43 0 d-------- C:\Program Files\ATI Technologies
2007-04-17 19:09:42 0 d-------- C:\Program Files\ATI
2007-04-17 06:03:42 0 d-------- C:\Windows\SoftwareDistribution
2007-04-17 03:17:44 1495552 --a------ C:\Windows\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-04-17 03:17:44 0 d-------- C:\Users\All Users\McAfee
2007-04-17 03:17:44 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-04-17 03:16:47 0 d-------- C:\Program Files\McAfee
2007-04-17 03:16:47 0 d-------- C:\Program Files\Common Files\McAfee
2007-04-17 03:16:05 0 d-------- C:\ATI
2007-04-17 02:22:05 0 d-------- C:\Windows\system32\Macromed
2007-04-17 02:22:03 0 d-------- C:\Users\All Users\InstallShield
2007-04-17 02:21:59 0 d-------- C:\Windows\Acer_Wide
2007-04-17 02:21:59 187392 --a------ C:\Windows\Acer(Wide).scr
2007-04-17 02:21:59 187392 --a------ C:\Windows\Acer(Normal).scr
2007-04-17 02:21:59 0 d-------- C:\Program Files\Acer Inc
2007-04-17 02:21:58 0 d-------- C:\Windows\Acer_Normal
2007-04-17 02:21:08 0 d-------- C:\Program Files\MSXML 4.0
2007-04-17 02:20:54 327680 --a------ C:\Windows\system32\Remove_eRecovery.exe <Not Verified; Acer Inc.; >
2007-04-17 02:20:54 16384 --a------ C:\Windows\system32\LauncheRyAgentUser.exe <Not Verified; ; LauncheRyAgentUser>
2007-04-17 02:20:54 1402880 --a------ C:\Windows\system32\ERUpdateHidden.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-17 02:20:54 16384 --a------ C:\Windows\system32\ClearEvent.exe
2007-04-17 02:20:54 360448 --a------ C:\Windows\system32\CheckD2DSystem.exe <Not Verified; Acer Inc.; CheckD2DSystem.exe>
2007-04-17 02:19:50 0 d-------- C:\Windows\system32\i386
2007-04-17 02:19:04 0 d--hs---- C:\$RECYCLE.BIN
2007-04-17 02:19:00 0 dr------- C:\Users\Paul\Searches
2007-04-17 02:18:47 0 dr------- C:\Users\Paul\Contacts
2007-04-17 02:18:40 0 d-------- C:\Program Files\Yahoo!
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\Templates
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\Start Menu
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\SendTo
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\Recent
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\PrintHood
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\NetHood
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\My Documents
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\Local Settings
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\Cookies
2007-04-17 02:18:36 0 d--hs---- C:\Users\Paul\Application Data
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Videos
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Saved Games
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Pictures
2007-04-17 02:18:35 2359296 --ahs---- C:\Users\Paul\ntuser.dat
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Music
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Links
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Favorites
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Downloads <DOWNLO~1>
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Documents
2007-04-17 02:18:35 0 dr------- C:\Users\Paul\Desktop
2007-04-17 02:18:35 0 d--h----- C:\Users\Paul\AppData


-- Find3M Report ---------------------------------------------------------------

2007-05-14 03:47:25 0 d-------- C:\Users\Paul\AppData\Roaming\OpenOffice.org2
2007-05-09 00:26:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-08 18:16:57 0 d-------- C:\Program Files\Windows Mail
2007-05-07 02:20:37 0 d-------- C:\Users\Paul\AppData\Roaming\McAfee
2007-05-07 00:27:22 0 d-------- C:\Program Files\Windows Sidebar
2007-05-06 23:11:11 0 d-------- C:\Users\Paul\AppData\Roaming\Windows Sidebar Styler
2007-04-29 22:55:59 0 d-------- C:\Users\Paul\AppData\Roaming\Bitdefender
2007-04-29 14:09:04 0 d-------- C:\Users\Paul\AppData\Roaming\Adobe
2007-04-27 20:50:24 0 d-------- C:\Program Files\Microsoft Games
2007-04-26 00:57:34 0 d-------- C:\Users\Paul\AppData\Roaming\InstallShield
2007-04-19 02:38:52 0 d-------- C:\Users\Paul\AppData\Roaming\Creative
2007-04-18 23:29:40 0 d-------- C:\Users\Paul\AppData\Roaming\DivX
2007-04-18 00:49:18 72748 --a------ C:\Windows\unins000.exe <Not Verified; Jordan Russell; >
2007-04-17 23:10:44 0 d-------- C:\Users\Paul\AppData\Roaming\Intuit
2007-04-17 23:01:38 0 d-------- C:\Users\Paul\AppData\Roaming\Apple Computer
2007-04-17 23:01:33 0 d-------- C:\Users\Paul\AppData\Roaming\Real
2007-04-17 21:53:38 0 d-------- C:\Users\Paul\AppData\Roaming\IGN_DLM
2007-04-17 20:58:53 0 d-------- C:\Users\Paul\AppData\Roaming\Macromedia
2007-04-17 20:54:36 0 d-------- C:\Users\Paul\AppData\Roaming\AdobeUM
2007-04-17 20:30:08 0 d-------- C:\Users\Paul\AppData\Roaming\Lavasoft
2007-04-17 19:29:30 0 dr-h----- C:\Users\Paul\AppData\Roaming\SecuROM
2007-04-17 19:02:10 0 d-------- C:\Users\Paul\AppData\Roaming\ATI
2007-04-17 02:41:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-17 02:22:52 0 d-------- C:\Program Files\Windows Defender
2007-04-17 02:21:58 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-17 02:18:51 0 d-------- C:\Users\Paul\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} C:\Windows\system32\ActiveToolBand.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,\
"RtHDVCpl"="RtHDVCpl.exe"
"ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\McAfee\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe"
"BounceBack Setup"="\"C:\\Program Files\\CMS Peripherals\\BounceBack Express\\AppLaunch.exe\" /Launchit"
"Acer Empowering Technology Monitor"="C:\\Windows\\system32\\SysMonitor.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"?????????"=hex(428308):
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"igndlm.exe"="C:\\Program Files\\Download Manager\\DLM.exe /windowsstart /startifwork"
"CTSyncU.exe"="\"C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe\""
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=dword:00000002
"DontDisplayLogonHoursWarnings"=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NVSTOR32


-- End of Deckard's System Scanner: finished at 2007-05-14 at 03:50:10 ---------


Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4200+
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 2046.94 MiB / 1427.68 MiB
Pagefile Memory (total/avail): 4308.17 MiB / 3556.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.75 MiB

C: is Fixed (NTFS) - 145.63 GiB total, 58.77 GiB free.
D: is Fixed (NTFS) - 145.63 GiB total, 145.54 GiB free.
E: is CDROM (UDF)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Security Suite Firewall v7.1.044.000 (Check Point, LTD.)
AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)
AV: ZoneAlarm Security Suite Antivirus v7.1.044.000 (Check Point, LTD.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Paul\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PDB-VISTA
ComSpec=C:\Windows\system32\cmd.exe
DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Paul
LOCALAPPDATA=C:\Users\Paul\AppData\Local
LOGONSERVER=\\PDB-VISTA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\PROGRA~1\ZONELA~1\ZONEAL~1\tools
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Paul\AppData\Local\Temp
TMP=C:\Users\Paul\AppData\Local\Temp
tvdebugcategories=all
tvdumpflags=8
tvloglimit=100
USERDOMAIN=PDB-Vista
USERNAME=Paul
USERPROFILE=C:\Users\Paul
VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Paul
Thomas (new local, net ready)
GOD (new local, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80FFF4BA-C102-4102-A4B1-935D9573278B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80FFF4BA-C102-4102-A4B1-935D9573278B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9
Acer eDataSecurity Management --> C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer ePerformance Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D462BF9E-0C35-4705-BF9B-3DF9F3816643}\setup.exe" -l0x9 -removeonly
Acer Picture Slide DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41581EF5-45A7-11DA-9D78-000129760D75}\Setup.exe" -uninstall
Acer Plug and Record --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6EFFB76-4A07-11DA-9D78-000129760D75}\Setup.exe" -uninstall
Acer ScreenSaver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9 -removeonly
Acer Zone MagicDirector --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\Setup.exe" -uninstall
Acer Zone Main Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\Setup.exe" -uninstall
Acer Zone MakeDisk --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\Setup.exe" -uninstall
Acer Zone SoftDMA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\Setup.exe" -uninstall
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Alien Arena 2007 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CAE3C5F4-7951-4D21-8E8B-ACB795706E6E}\setup.exe" -l0x9
Bazooka Scanner --> "C:\Program Files\Bazooka Scanner\Uninstall.exe" "C:\Program Files\Bazooka Scanner\install.log"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9D879B-0F98-4059-85A5-D05718A1D6F7}\SETUP.EXE" -l0x9 /remove
dBpowerAMP Music Converter --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Manager 2.3.6 --> C:\Program Files\Download Manager\uninst.exe
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Easy Image Relay v1.1 --> "C:\Windows\unins001.exe"
Global MU Online --> C:\Program Files\InstallShield Installation Information\{4F763B06-A014-481B-951A-11AFCD667010}\setup.exe -runfromtemp -l0x0009 -removeonly
HijackThis 1.99.1 --> C:\Hijackthis 1.99\HijackThis.exe /uninstall
Icon Restore 1.0 --> C:\Windows\unins000.exe
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LastChaos --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0AF3FEAE-B651-4421-97EF-4808A588B4E5}\Setup.exe" -l0x9
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}
Mario Forever 4.0 --> C:\Program Files\Mario Forever\uninst.exe
McAfee VirusScan Enterprise --> MsiExec.exe /X{35C03C04-3F1F-42C2-A989-A757EE691F65}
MetaFrame Presentation Server Web Client for Win32 --> C:\Windows\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Halo Trial --> "C:\Program Files\Microsoft Games\Halo Trial\UNINSTAL.EXE" /runtemp /addremove
Microsoft Outlook Web Access S/MIME --> MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Silverlight --> MsiExec.exe /I{0F545F0A-8127-48B1-9906-45659872EC2E}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NTI Backup NOW! 4.7 --> "C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
OpenOffice.org 2.2 --> MsiExec.exe /I{A1C8D94A-4303-4489-B585-4B6E6CD408CB}
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Rakion International --> "C:\Program Files\Softnyx\Rakion\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Remove Startup Programs Buddy 2.2 --> "C:\Program Files\Scorpio Software\Remove Startup Programs Buddy\unins000.exe"
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0001] --> "C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
WarRock --> C:\Program Files\InstallShield Installation Information\{00D15456-F679-4AD4-8BD2-56450D4C3F72}\setup.exe -runfromtemp -l0x0009 -removeonly
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wolfenstein - Enemy Territory --> C:\PROGRA~1\WOLFEN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\WOLFEN~1\Uninstall\Install.log
ZENcast Organizer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-05-14 at 03:50:10 ---------


Logfile of HijackThis v1.99.1
Scan saved at 4:09:10 AM, on 5/14/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Windows\System32\SysMonitor.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Hijackthis 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer

#10 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 14 May 2007 - 03:27 AM

Sorry it's late. Found a typo:

1- After following the directions in step 1, DrWeb (DIDN'T) give me the option to save a log. The scan results found nothing. File-->save report list was disabled.

What I meant was, Drweb found no issues so it wouldn't allow me to save a report list. The menu item was disabled since there was nothing to save. Sorry for not proof reading my post but its early and I haven't had my coffee yet. :thumbsup:

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:43 PM

Posted 16 May 2007 - 03:45 AM

Hi skinsfan732, :flowers:

Could you please post a fresh HijackThis log?!

P.S. I still don't know the number of characters for one post but in general if the info for one post is too big add an extra post.

:thumbsup:

#12 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 16 May 2007 - 06:00 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:53:02 PM, on 5/16/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Hijackthis 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BounceBack Setup] "C:\Program Files\CMS Peripherals\BounceBack Express\AppLaunch.exe" /Launchit
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll (file missing)
O20 - Winlogon Notify: LMIinit - C:\Windows\SYSTEM32\LMIinit.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:43 PM

Posted 18 May 2007 - 04:02 AM

Hi skinsfan732,

1. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

You may re-enable it again when your computer is clean; I will let you know!

2. In the attachment you see a zipped file. Unzip it to your desktop: right-click it and choose Extract all. Now click the unzipped file: fix.

3. Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

Please post the SUPERAntiSpyware Scan Log together with a fresh HijackThis log.

P.S. The logs may be very big, so use two posts if necessary.Attached File  fix.reg   775bytes   12 downloads

#14 skinsfan732

skinsfan732
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 19 May 2007 - 11:32 PM

I was a bit confused about your last post. You said "In the attachment you see a zipped file. Unzip it to your desktop: right-click it and choose Extract all. Now click the unzipped file: fix." There wasn't a zip file attached

When I look at the post, the only attachment I see is fix.reg which looks like a unfinished registry file. When I attempt to merge, I get an error saying the file isn't a registry script. There appears to be text within the entry that either needs to be removed or made a comment by putting a semi colon in front of it. I wasn't sure what you wanted to do so I didn't fix it and merge it. If your suggesting deleting those entries from the reg file, can we add the yahoo search ones left befind from the uninstaller and possibly the gopher prefix?
The spyware app wasn't included in the post's attachment but I found the app on the web. I got it installed and configured per your instructions. After 12 hours, the app was still scanning my hard drive. I noticed it scanning the same files over and over again. After 12 and 1/2 hours I stopped the scan. You said "Please be patient while it scans your computer" That's an understatment :thumbsup:
It found some adware cookies and Adware.Aurora-Installer. Below is my super-antispyware log and a new hijack this log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/19/2007 at 11:33 PM

Application Version : 3.7.1018

Core Rules Database Version : 3241
Trace Rules Database Version: 1252

Scan type : Complete Scan
Total Scan Time : 12:35:39

Memory items scanned : 663
Memory threats detected : 0
Registry items scanned : 7057
Registry threats detected : 0
File items scanned : 1176885
File threats detected : 458

Adware.Tracking Cookie
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@doubleclick[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@atdmt[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@ad.yieldmanager[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@apmebf[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@divx.adbureau[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@2o7[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad.iconadserver[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad.yieldmanager[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adbrite[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adbrite[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adinterax[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adopt.euroclick[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adopt.specificclick[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adrevolver[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.adbrite[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.cdfreaks[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.labpixies[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.pointroll[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@advertising[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@anad.tacoda[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@anat.tacoda[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@apmebf[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@atdmt[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@azjmp[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@bs.serving-sys[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@burstnet[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@casalemedia[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@cbs.112.2o7[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@cdn.euroclick[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@clicksor[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@counter12.sextracker[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@counter8.sextracker[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@doubleclick[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg-adaptivemarketing.hitbox[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg-speakeasy.hitbox[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg.hitbox[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@fastclick[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@hitbox[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@i.screensavers[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@imrworldwide[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@keywordmax[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@media.adrevolver[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@mediaplex[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@msnportal.112.2o7[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@overture[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@partner2profit[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@perf.overture[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@precisionclick[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@questionmarket[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@revsci[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@rotator.adjuggler[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@screensavers[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[3].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@serving-sys[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@sextracker[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@specificclick[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@statcounter[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@superstats[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@tacoda[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@targetnet[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@trafficmp[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@tribalfusion[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@try.screensavers[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@vip2.clickzs[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.adultpornmovies[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.burstbeacon[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.burstnet[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.googleadservices[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@xiti[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@zedo[2].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@ad.yieldmanager[1].txt
C:\Documents and Settings\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@divx.adbureau[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@2o7[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad.iconadserver[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad.yieldmanager[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adbrite[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adbrite[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adinterax[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adopt.euroclick[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adopt.specificclick[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adrevolver[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.adbrite[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.cdfreaks[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.labpixies[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.pointroll[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@advertising[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@anad.tacoda[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@anat.tacoda[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@apmebf[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@atdmt[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@azjmp[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@bs.serving-sys[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@burstnet[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@casalemedia[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@cbs.112.2o7[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@cdn.euroclick[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@clicksor[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@counter12.sextracker[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@counter8.sextracker[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@doubleclick[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg-adaptivemarketing.hitbox[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg-speakeasy.hitbox[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg.hitbox[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@fastclick[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@hitbox[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@i.screensavers[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@imrworldwide[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@keywordmax[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@media.adrevolver[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@mediaplex[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@msnportal.112.2o7[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@overture[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@partner2profit[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@perf.overture[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@precisionclick[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@questionmarket[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@revsci[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@rotator.adjuggler[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@screensavers[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[3].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@serving-sys[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@sextracker[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@specificclick[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@statcounter[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@superstats[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@tacoda[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@targetnet[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@trafficmp[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@tribalfusion[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@try.screensavers[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@vip2.clickzs[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.adultpornmovies[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.burstbeacon[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.burstnet[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.googleadservices[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@xiti[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@zedo[2].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\paul@ad.yieldmanager[1].txt
C:\Documents and Settings\Paul\Application Data\Microsoft\Windows\Cookies\paul@divx.adbureau[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@2o7[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ad.iconadserver[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ad.yieldmanager[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ad2.pl.mediainter[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ad2.pl.mediainter[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@adbrite[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@adbrite[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@adinterax[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@adopt.euroclick[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@adopt.specificclick[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@adrevolver[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ads.adbrite[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ads.cdfreaks[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ads.labpixies[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ads.pointroll[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@advertising[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@anad.tacoda[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@anat.tacoda[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@apmebf[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@atdmt[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@azjmp[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@bs.serving-sys[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@burstnet[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@casalemedia[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@cbs.112.2o7[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@cdn.euroclick[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@clicksor[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@counter12.sextracker[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@counter8.sextracker[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@doubleclick[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ehg-adaptivemarketing.hitbox[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ehg-speakeasy.hitbox[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@ehg.hitbox[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@fastclick[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@hitbox[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@i.screensavers[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@imrworldwide[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@keywordmax[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@media.adrevolver[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@mediaplex[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@msnportal.112.2o7[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@overture[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@partner2profit[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@perf.overture[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@precisionclick[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@questionmarket[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@revsci[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@rotator.adjuggler[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@screensavers[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@server.iad.liveperson[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@server.iad.liveperson[3].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@serving-sys[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@sextracker[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@specificclick[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@statcounter[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@superstats[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@tacoda[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@targetnet[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@trafficmp[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@tribalfusion[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@try.screensavers[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@vip2.clickzs[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@www.adultpornmovies[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@www.burstbeacon[2].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@www.burstnet[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@www.googleadservices[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@xiti[1].txt
C:\Documents and Settings\Paul\Cookies\Low\paul@zedo[2].txt
C:\Documents and Settings\Paul\Cookies\paul@ad.yieldmanager[1].txt
C:\Documents and Settings\Paul\Cookies\paul@divx.adbureau[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@2o7[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad.iconadserver[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad.yieldmanager[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adbrite[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adbrite[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adinterax[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adopt.euroclick[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adopt.specificclick[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@adrevolver[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.adbrite[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.as4x.tmcs[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.cdfreaks[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.labpixies[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ads.pointroll[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@advertising[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@anad.tacoda[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@anat.tacoda[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@apmebf[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@atdmt[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@azjmp[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@bs.serving-sys[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@burstnet[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@casalemedia[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@cbs.112.2o7[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@cdn.euroclick[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@clickaider[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@clicksor[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@counter12.sextracker[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@counter8.sextracker[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@doubleclick[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@e-2dj6wflyundzedo.stats.esomniture[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg-adaptivemarketing.hitbox[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg-dig.hitbox[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg-speakeasy.hitbox[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ehg.hitbox[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@fastclick[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@hitbox[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@i.screensavers[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@imrworldwide[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@itxt.vibrantmedia[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@keywordmax[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@linksynergy[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@media.adrevolver[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@mediaplex[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@msnportal.112.2o7[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@overture[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@partner2profit[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@perf.overture[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@precisionclick[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@questionmarket[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@revsci[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@rotator.adjuggler[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@screensavers[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[3].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@serving-sys[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@sextracker[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@specificclick[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@spylog[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@statcounter[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@statse.webtrendslive[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@superstats[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@tacoda[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@targetnet[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@trafficmp[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@tribalfusion[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@try.screensavers[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@vip2.clickzs[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.adultpornmovies[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.burstbeacon[2].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.burstnet[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@www.googleadservices[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@xiti[1].txt
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@zedo[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@2o7[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad.iconadserver[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad.yieldmanager[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ad2.pl.mediainter[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adbrite[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adbrite[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adinterax[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adopt.euroclick[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adopt.specificclick[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@adrevolver[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.adbrite[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.as4x.tmcs[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.cdfreaks[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.labpixies[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ads.pointroll[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@advertising[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@anad.tacoda[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@anat.tacoda[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@apmebf[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@atdmt[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@azjmp[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@bs.serving-sys[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@burstnet[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@casalemedia[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@cbs.112.2o7[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@cdn.euroclick[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@clickaider[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@clicksor[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@counter12.sextracker[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@counter8.sextracker[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@doubleclick[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@e-2dj6wflyundzedo.stats.esomniture[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg-adaptivemarketing.hitbox[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg-dig.hitbox[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg-speakeasy.hitbox[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@ehg.hitbox[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@fastclick[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@hitbox[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@i.screensavers[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@imrworldwide[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@itxt.vibrantmedia[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@keywordmax[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@linksynergy[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@media.adrevolver[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@mediaplex[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@msnportal.112.2o7[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@overture[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@partner2profit[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@perf.overture[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@precisionclick[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@questionmarket[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@revsci[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@rotator.adjuggler[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@screensavers[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@server.iad.liveperson[3].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@serving-sys[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@sextracker[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@specificclick[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@spylog[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@statcounter[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@statse.webtrendslive[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@superstats[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@tacoda[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@targetnet[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@trafficmp[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@tribalfusion[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@try.screensavers[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@vip2.clickzs[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.adultpornmovies[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.burstbeacon[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.burstnet[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@www.googleadservices[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@xiti[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\Low\paul@zedo[2].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\paul@ad.yieldmanager[1].txt
C:\Users\Paul\Application Data\Microsoft\Windows\Cookies\paul@divx.adbureau[2].txt
C:\Users\Paul\Cookies\Low\paul@2o7[1].txt
C:\Users\Paul\Cookies\Low\paul@ad.iconadserver[2].txt
C:\Users\Paul\Cookies\Low\paul@ad.yieldmanager[1].txt
C:\Users\Paul\Cookies\Low\paul@ad2.pl.mediainter[1].txt
C:\Users\Paul\Cookies\Low\paul@ad2.pl.mediainter[2].txt
C:\Users\Paul\Cookies\Low\paul@adbrite[1].txt
C:\Users\Paul\Cookies\Low\paul@adbrite[2].txt
C:\Users\Paul\Cookies\Low\paul@adinterax[1].txt
C:\Users\Paul\Cookies\Low\paul@adopt.euroclick[1].txt
C:\Users\Paul\Cookies\Low\paul@adopt.specificclick[1].txt
C:\Users\Paul\Cookies\Low\paul@adrevolver[2].txt
C:\Users\Paul\Cookies\Low\paul@ads.adbrite[2].txt
C:\Users\Paul\Cookies\Low\paul@ads.as4x.tmcs[1].txt
C:\Users\Paul\Cookies\Low\paul@ads.cdfreaks[1].txt
C:\Users\Paul\Cookies\Low\paul@ads.labpixies[2].txt
C:\Users\Paul\Cookies\Low\paul@ads.pointroll[1].txt
C:\Users\Paul\Cookies\Low\paul@advertising[1].txt
C:\Users\Paul\Cookies\Low\paul@anad.tacoda[1].txt
C:\Users\Paul\Cookies\Low\paul@anat.tacoda[1].txt
C:\Users\Paul\Cookies\Low\paul@apmebf[1].txt
C:\Users\Paul\Cookies\Low\paul@atdmt[2].txt
C:\Users\Paul\Cookies\Low\paul@azjmp[2].txt
C:\Users\Paul\Cookies\Low\paul@bs.serving-sys[2].txt
C:\Users\Paul\Cookies\Low\paul@burstnet[1].txt
C:\Users\Paul\Cookies\Low\paul@casalemedia[2].txt
C:\Users\Paul\Cookies\Low\paul@cbs.112.2o7[1].txt
C:\Users\Paul\Cookies\Low\paul@cdn.euroclick[2].txt
C:\Users\Paul\Cookies\Low\paul@clickaider[2].txt
C:\Users\Paul\Cookies\Low\paul@clicksor[1].txt
C:\Users\Paul\Cookies\Low\paul@counter12.sextracker[1].txt
C:\Users\Paul\Cookies\Low\paul@counter8.sextracker[1].txt
C:\Users\Paul\Cookies\Low\paul@doubleclick[1].txt
C:\Users\Paul\Cookies\Low\paul@e-2dj6wflyundzedo.stats.esomniture[2].txt
C:\Users\Paul\Cookies\Low\paul@ehg-adaptivemarketing.hitbox[1].txt
C:\Users\Paul\Cookies\Low\paul@ehg-dig.hitbox[2].txt
C:\Users\Paul\Cookies\Low\paul@ehg-speakeasy.hitbox[1].txt
C:\Users\Paul\Cookies\Low\paul@ehg.hitbox[2].txt
C:\Users\Paul\Cookies\Low\paul@fastclick[2].txt
C:\Users\Paul\Cookies\Low\paul@hitbox[2].txt
C:\Users\Paul\Cookies\Low\paul@i.screensavers[1].txt
C:\Users\Paul\Cookies\Low\paul@imrworldwide[2].txt
C:\Users\Paul\Cookies\Low\paul@itxt.vibrantmedia[1].txt
C:\Users\Paul\Cookies\Low\paul@keywordmax[1].txt
C:\Users\Paul\Cookies\Low\paul@linksynergy[1].txt
C:\Users\Paul\Cookies\Low\paul@media.adrevolver[1].txt
C:\Users\Paul\Cookies\Low\paul@mediaplex[1].txt
C:\Users\Paul\Cookies\Low\paul@msnportal.112.2o7[1].txt
C:\Users\Paul\Cookies\Low\paul@overture[1].txt
C:\Users\Paul\Cookies\Low\paul@partner2profit[1].txt
C:\Users\Paul\Cookies\Low\paul@perf.overture[1].txt
C:\Users\Paul\Cookies\Low\paul@precisionclick[2].txt
C:\Users\Paul\Cookies\Low\paul@questionmarket[2].txt
C:\Users\Paul\Cookies\Low\paul@revsci[2].txt
C:\Users\Paul\Cookies\Low\paul@rotator.adjuggler[2].txt
C:\Users\Paul\Cookies\Low\paul@screensavers[2].txt
C:\Users\Paul\Cookies\Low\paul@server.iad.liveperson[1].txt
C:\Users\Paul\Cookies\Low\paul@server.iad.liveperson[3].txt
C:\Users\Paul\Cookies\Low\paul@serving-sys[2].txt
C:\Users\Paul\Cookies\Low\paul@sextracker[2].txt
C:\Users\Paul\Cookies\Low\paul@specificclick[2].txt
C:\Users\Paul\Cookies\Low\paul@spylog[2].txt
C:\Users\Paul\Cookies\Low\paul@statcounter[1].txt
C:\Users\Paul\Cookies\Low\paul@statse.webtrendslive[2].txt
C:\Users\Paul\Cookies\Low\paul@superstats[1].txt
C:\Users\Paul\Cookies\Low\paul@tacoda[1].txt
C:\Users\Paul\Cookies\Low\paul@targetnet[1].txt
C:\Users\Paul\Cookies\Low\paul@trafficmp[1].txt
C:\Users\Paul\Cookies\Low\paul@tribalfusion[2].txt
C:\Users\Paul\Cookies\Low\paul@try.screensavers[1].txt
C:\Users\Paul\Cookies\Low\paul@vip2.clickzs[1].txt
C:\Users\Paul\Cookies\Low\paul@www.adultpornmovies[1].txt
C:\Users\Paul\Cookies\Low\paul@www.burstbeacon[2].txt
C:\Users\Paul\Cookies\Low\paul@www.burstnet[1].txt
C:\Users\Paul\Cookies\Low\paul@www.googleadservices[1].txt
C:\Users\Paul\Cookies\Low\paul@xiti[1].txt
C:\Users\Paul\Cookies\Low\paul@zedo[2].txt
C:\Users\Paul\Cookies\paul@ad.yieldmanager[1].txt
C:\Users\Paul\Cookies\paul@divx.adbureau[2].txt

Adware.Aurora-Installer
C:\PROGRAM FILES\ACER ZONE\ACER PICTURE SLIDE DVD\COMPONENT\PSDAURORA.DLL
C:\PROGRAM FILES\ACER ZONE\ACER PLUG AND RECORD\COMPONENT\PNRAURORA.DLL

Logfile of HijackThis v1.99.1
Scan saved at 12:16:06 AM, on 5/20/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Hijackthis 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BounceBack Setup] "C:\Program Files\CMS Peripherals\BounceBack Express\AppLaunch.exe" /Launchit
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\Windows\SYSTEM32\LMIinit.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:43 PM

Posted 21 May 2007 - 08:09 AM

Hi skinsfan732, :thumbsup:

Really sorry for the confusion. Will do my best to prevent that from happening again.

1. Click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\PROGRAM FILES\ACER ZONE\ACER PICTURE SLIDE DVD\COMPONENT\PSDAURORA.DLL
C:\PROGRAM FILES\ACER ZONE\ACER PLUG AND RECORD\COMPONENT\PNRAURORA.DLL

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

2. We need to disable your Windows Defender Real-time Protection again:

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

3. Run HijackThis, click Scan and checkmark the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKCU\..\Run: [?????????] ??????????????e


can we add the yahoo search ones left behind


You mean these?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com


Checkmark them if you want to get rid of them.

and possibly the gopher prefix?


The Gopher protocol is disabled in IE7 (it does work in Firefox 2.x by the way), which you're running so you might want to checkmark the 013-entry as well.

O13 - Gopher Prefix:

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

4. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

5. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following file/folder in bold if it exists:

C:\Windows\system32\??????????????e

May also be in C:\Windows

Please let me know how this went.

6. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

Please reboot and post the Jotti report along with a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users