Jump to content


Photo

help on hijackthis log


  • This topic is locked This topic is locked
21 replies to this topic

#1 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 23 March 2006 - 04:09 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:41:48 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\devldr32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mike smith\Desktop\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fddiafkls...9QHEityHl/5.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\mike\internet stuff\acrobat reader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\mike\downloaded utilities\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PP7600usb] C:\paprport\FBDirect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BURN LITE POP LICENSE] C:\Documents and Settings\All Users.WINDOWS\Application Data\ChicGreyBurnLite\Thatwave.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SectDrive] C:\DOCUME~1\MIKESM~1\APPLIC~1\DRAWBE~1\Deletepluscool.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: ChargersDirect.lnk = C:\Program Files\ThePort\XML Player\XMLplayer.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...e/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120511295545
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143147219921
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.premierei...eoViewer3_0.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bWlrZSBzbWl0aA\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 27 March 2006 - 06:25 PM

Hi, stupadso.

You have a lop infection and some other problems in your log.
Run the following tool to show all lop files, then continue with the rest of the fix before posting the findlop.txt.


You have a lop infection which is sometimes caused by installing Messenger Plus! 3
If you have that program installed, go to add/remove programs and click on it.
You should get the option to uninstall the "sponsor program" which is C2Media's Lop.
If you don't have Messenger Plus! 3 installed, we will manually remove lop.


Click here to download fl.zip to check for any lop files.
Unzip then double click fl.bat to run it.
Copy the contents of findlop.txt that will open, then post it herein your next reply.


You have Microsoft AntiSpyware running. While it's a good program, it may block the changes made with hijackthis.
Please right click the Microsoft AntiSpyware icon in the system tray and choose shutdown.

Scan with hijackthis and checkmark these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fddiafkls...9QHEityHl/5.cgi
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bWlrZSBzbWl0aA\command.exe (file missing)
Close all browsers and open windows, except hijackthis, and click fix checked.

Delete the following files or folders marked in bold:
C:\windows\enewsletterpro.exe
C:\windows\banmanpro.exe
C:\Program Files\Common Files\VCClient\<-- delete the folder

Next, click the start button on the taskbar, then click Run...
In the Run... box that opens type in the following line then click ok
sc delete Command Service

Restart your system.
Scan with hijackthis and post a fresh log.
Also post the contents of findlop.txt.
Posted Image
-----------Posted Image

#3 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 27 March 2006 - 09:40 PM

---------Thanks for the help. I do not have messenger plus! 3 installed i uninstaled it when i relized i had a problem witch was right after i installed it. Here is the findlop.txt that you asked for that i did before the rest of the fixes.


Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\All Users\Application Data

01/16/2002 09:56 AM 4 DirectCDUserName.txt
01/09/2002 11:03 PM <DIR> QuickTime
12/05/2001 08:09 PM <DIR> SBSI
12/05/2001 08:17 PM <DIR> Sierra Imaging
12/05/2001 08:17 PM <DIR> Symantec
1 File(s) 4 bytes
4 Dir(s) 16,197,857,280 bytes free
Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\Michael\Application Data

12/05/2001 08:11 PM <DIR> Identities
12/05/2001 08:16 PM <DIR> Symantec
0 File(s) 0 bytes
2 Dir(s) 16,197,853,184 bytes free
Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\Mike\Application Data

12/11/2001 10:29 PM <DIR> Adobe
12/10/2001 04:03 PM <DIR> Help
12/11/2001 03:02 PM <DIR> Identities
12/11/2001 10:29 PM <DIR> InterTrust
01/10/2002 11:42 AM <DIR> Jasc
01/10/2002 04:59 PM <DIR> PolyView
01/16/2002 11:00 AM <DIR> Real
12/18/2001 03:04 PM 42 sversion.ini
12/05/2001 08:16 PM <DIR> Symantec
12/18/2001 03:07 PM 8,192 user52.rdb
2 File(s) 8,234 bytes
8 Dir(s) 16,197,853,184 bytes free
Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\mike smith\Application Data

03/23/2006 04:33 PM <DIR> 16 Second
11/29/2005 10:22 PM <DIR> acccore
04/21/2002 06:34 PM <DIR> Adobe
01/11/2006 03:57 PM <DIR> Aim
02/25/2002 02:27 PM <DIR> Autodesk
07/08/2005 04:52 PM <DIR> CyberLink
03/23/2006 03:51 PM <DIR> draw beep
05/07/2003 04:29 PM <DIR> Help
04/05/2002 10:54 PM <DIR> Identities
01/16/2002 07:16 PM <DIR> InterTrust
01/16/2002 06:22 PM <DIR> Jasc
01/22/2006 03:26 PM <DIR> Jasc Software Inc
07/04/2005 01:25 PM <DIR> Lavasoft
04/25/2003 10:00 PM <DIR> Leadertech
07/17/2005 03:16 AM <DIR> Macromedia
12/10/2005 02:47 PM <DIR> Microgaming
05/14/2003 06:53 PM <DIR> Microsoft Games
01/16/2002 05:04 PM <DIR> Microsoft Web Folders
01/08/2006 07:42 PM <DIR> Mozilla
01/24/2002 11:17 AM <DIR> Palo Alto Software Inc
02/09/2002 12:58 PM <DIR> PolyView
01/17/2002 09:12 PM <DIR> Real
01/26/2003 01:31 PM <DIR> Roxio
02/27/2002 07:46 PM <DIR> ScanSoft
07/07/2005 12:21 AM <DIR> Skype
01/18/2002 11:07 AM <DIR> SmartFTP
07/04/2005 12:40 PM 0 sversion.ini
01/17/2002 01:46 PM <DIR> Symantec
10/16/2005 10:54 AM <DIR> teamspeak2
01/25/2003 03:53 PM <DIR> theimagingfactory
1 File(s) 0 bytes
29 Dir(s) 16,197,853,184 bytes free
Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\Owner\Application Data

12/05/2001 08:11 PM <DIR> Identities
12/05/2001 08:16 PM <DIR> Symantec
0 File(s) 0 bytes
2 Dir(s) 16,197,853,184 bytes free
Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\Default User\Application Data

12/05/2001 08:16 PM <DIR> .
12/05/2001 08:16 PM <DIR> ..
09/05/2001 10:08 AM 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 16,197,853,184 bytes free
Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is MAIN
Volume Serial Number is 349D-7939

Directory of C:\Documents and Settings\NetworkService\Application Data




------I deleted all the files/ folders that you told me except the banmanpro.exe one because it wasnt there. (search for it and looked for it.)




-----Now here is the log of the Hijack this that i did after a restarted my computer(noticed the last one you had me checked is back)





Logfile of HijackThis v1.99.1
Scan saved at 10:39:10 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mike smith\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\mike\internet stuff\acrobat reader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\mike\downloaded utilities\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PP7600usb] C:\paprport\FBDirect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BURN LITE POP LICENSE] C:\Documents and Settings\All Users.WINDOWS\Application Data\ChicGreyBurnLite\Thatwave.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SectDrive] C:\DOCUME~1\MIKESM~1\APPLIC~1\DRAWBE~1\Deletepluscool.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: ChargersDirect.lnk = C:\Program Files\ThePort\XML Player\XMLplayer.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...e/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120511295545
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143147219921
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.premierei...eoViewer3_0.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bWlrZSBzbWl0aA\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 28 March 2006 - 02:59 PM

Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted.
Open the ren-cmdservice folder, then doubleclick the ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it here in your next reply.


Change these settings to show hidden files and folders on your system:
Open Windows Explorer by right clicking the start button, choose explore.
Click tools, then Folder Options.
Click on the View tab
Place a checkmark at "Show hidden files and folders"
Uncheck "hide extensions for known file types"
click "Apply to all folders"
Click "Apply" then "OK"

Please right click the Microsoft AntiSpyware icon in the system tray and choose shutdown.

Scan with hijackthis and checkmark these lines:
O4 - HKLM\..\Run: [BURN LITE POP LICENSE] C:\Documents and Settings\All Users.WINDOWS\Application Data\ChicGreyBurnLite\Thatwave.exe
O4 - HKCU\..\Run: [SectDrive] C:\DOCUME~1\MIKESM~1\APPLIC~1\DRAWBE~1\Deletepluscool.exe

Close all browsers and open windows, except hijackthis, and click fix checked.

Next, delete the following folders marked in bold:
C:\Documents and Settings\All Users.WINDOWS\Application Data\ChicGreyBurnLite\
C:\Documents and Settings\mike smith\Application Data\draw beep\

Restart your system.
Scan with hijackthis and post a fresh log.
Also post the text report from ren-cmdservice.

How is your system running, notice any problems?
Posted Image
-----------Posted Image

#5 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 March 2006 - 03:48 PM

I did everything that you said and all whent well except the ren-cmdservice i extracted it to my desktop and ran it but i got an error message. I re did everything and tryed running it again and got the same message...here it is. along with my new hijack this log.


Error: Key: system\currentcontrolset\services\cmdservice does not exist!

Running from C:\Documents and Settings\mike smith\Desktop\ren-cmdservice

Post this in the forum please.



Logfile of HijackThis v1.99.1
Scan saved at 4:41:50 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mike smith\Desktop\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\mike\internet stuff\acrobat reader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\mike\downloaded utilities\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PP7600usb] C:\paprport\FBDirect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: ChargersDirect.lnk = C:\Program Files\ThePort\XML Player\XMLplayer.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...e/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120511295545
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143147219921
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.premierei...eoViewer3_0.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





As for how my computer is running it is doing prety well when i dont use internet explore (I use firefox) when i use IE i get a lot of pop ups and it is much slower. My internet provider is comcast cable wich i like, its prety fast and i pay $10 a mounth to have it even faster i bielive it is 8 mb connection or 8 something forgot the sublettering. Is not what it is sapposed to be however for what im paying for according to those online speed test but its still fast enough for me. Its just i would like to use IE when i need to without pop ups and all that junk.

#6 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 March 2006 - 11:06 PM

Hello,

I tried going into safe mode as well and when i tried to go into safe mode it wouldnt go. It stopped and restarted to the begging of the boot up process right before the welcome screen would apear. just thought this would be something to be noted.

#7 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 29 March 2006 - 02:45 PM

I did everything that you said and all whent well except the ren-cmdservice i extracted it to my desktop and ran it but i got an error message.


Thats ok, it did remove the Command Service from your log the first time you ran it.

Nothing is showing up in your hijackthis log, it's clean.
Sometimes bad files are hidden from hijackthis, we can look for those with a silentrunners scan.
Let's also download and run a scan with ewido.

Please download, install, and update the free version of ewido anti-malware:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Click on update in the left menu, then click the Start update button.
After the update finishes, click on the Scanner button in the left menu, then click on complete system scan.

When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".


Please download SilentRunners.
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
When the scan is finished, an "all done" message will pop up and a Startup Programs.txt will be created on the desktop.

Please post the entire contents of the Startup Programs.txt.
Post the report from ewido located at C:\Program Files\ewido\security suite\Reports.
Scan with hijackthis and post a fresh log.
Posted Image
-----------Posted Image

#8 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 March 2006 - 05:09 PM

first her is the txt. from the silentrunners.


"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"DellTouch" = "C:\WINDOWS\DELLMMKB.EXE" ["Netropa Corp."]
"CoolSwitch" = "C:\WINDOWS\System32\taskswitch.exe" [null data]
"FastUser" = "C:\WINDOWS\System32\fast.exe" [MS]
"DIAGENT" = "C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]
"QuickTime Task" = ""C:\mike\downloaded utilities\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"WorkFlo" = "D:\Install\WorkFlow.exe" [file not found]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"PaperPort PTD" = "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"Omnipage" = "C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe" ["ScanSoft, Inc"]
"IndexSearch" = "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"PP7600usb" = "C:\paprport\FBDirect.exe" [file not found]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "c:\mike\internet stuff\acrobat reader\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {HKLM...CLSID} = "Desktop Manager"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msvdm.dll" [null data]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
-> {HKLM...CLSID} = "CD Burn Slideshow Hook"
\InProcServer32\(Default) = "C:\WINDOWS\System32\slideshow.dll" [MS]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\mike\DOWNLO~2\WINZIP~1\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\mike\DOWNLO~2\WINZIP~1\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\mike\DOWNLO~2\WINZIP~1\wzshlext.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {HKLM...CLSID} = "Microsoft Office Binder Explode"
\InProcServer32\(Default) = "C:\msoffice95\Office\explode.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = "Microsoft Access Custom Icon Handler"
\InProcServer32\(Default) = "C:\msoffice95\Access\soa300.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Mike\internet stuff\real one player\rpshellext.dll" ["RealNetworks"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02}" = "TIShelEx Shell Extension"
-> {HKLM...CLSID} = "FileTimeShlExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.dll" ["Texas Instruments Incorporated"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Mike\downloads\hold\wolf\7-zipn.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\mike\DOWNLO~2\WINZIP~1\wzshlext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Mike\downloads\hold\wolf\7-zipn.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\mike\DOWNLO~2\WINZIP~1\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Mike\downloads\hold\wolf\7-zipn.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\mike\DOWNLO~2\WINZIP~1\wzshlext.dll" [null data]


Default executables:
--------------------

HKLM\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
HKLM\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "mike smith" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"ChargersDirect" -> shortcut to: "C:\Program Files\ThePort\XML Player\XMLplayer.exe "C:\Program Files\ThePort\XML Player\Sponsors\PPID{6FAF0AD5-F065-4EFD-A631-AD704AA467BB}\default.pcf"" ["ThePort.com"]
"dlbcserv" -> shortcut to: "C:\Program Files\Dell Photo Printer 720\dlbcserv.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"A5C7157491848E38" -> launches: "c:\docume~1\mikesm~1\applic~1\drawbe~1\noun jump error.exe" [file not found]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Symantec\NORTON~2\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
InteractiveLogon, InteractiveLogon, "C:\WINDOWS\System32\Fast.exe -service" [MS]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Netropa NHK Server, Nhksrv, "C:\WINDOWS\Nhksrv.exe" [null data]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, ""C:\Program Files\Norton Internet Security\NISUM.EXE"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SDPAUMS server service, SDPASVC, "C:\WINDOWS\system32\sdpasvc.exe -service" [" Matsushita Electric Industrial Co.,Ltd."]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Proxy Service, ccPxySvc, ""C:\Program Files\Norton Internet Security\ccPxySvc.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]




next here is the report from the ewido scan.



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:56:17 PM, 3/29/2006
+ Report-Checksum: 78F5D2B5

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-117609710-1303643608-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@100hot[1].txt -> TrackingCookie.100hot : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@247media[2].txt -> TrackingCookie.247media : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@ads.adservingcentral[1].txt -> TrackingCookie.Adservingcentral : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@earth.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@gm.preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@search.clickfinders[1].txt -> TrackingCookie.Clickfinders : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@track-star[1].txt -> TrackingCookie.Track-star : Cleaned with backup
C:\Documents and Settings\Default User.WINDOWS\Cookies\mike@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@100hot[1].txt -> TrackingCookie.100hot : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@247media[2].txt -> TrackingCookie.247media : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ads.adservingcentral[1].txt -> TrackingCookie.Adservingcentral : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@earth.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@gm.preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@search.clickfinders[1].txt -> TrackingCookie.Clickfinders : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@track-star[1].txt -> TrackingCookie.Track-star : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.9:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.34:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.35:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.36:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.37:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.38:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.39:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.40:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.41:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.42:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.43:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.45:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.47:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.49:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.59:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.86:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.87:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.88:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.89:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.90:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.91:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.118:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.119:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.120:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.121:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.122:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.123:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.124:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.125:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.126:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.127:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.128:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.129:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.130:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.131:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.132:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.152:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.153:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.154:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.155:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.156:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.159:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.160:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.161:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.162:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.163:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.164:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.165:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.166:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.167:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.168:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.169:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.170:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.171:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.172:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.173:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.175:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.176:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.177:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.189:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.190:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.191:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.192:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.193:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.194:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.195:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.196:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.197:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.198:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.203:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.204:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.205:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.206:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.207:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.208:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.209:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.210:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.211:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.212:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.213:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.214:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.215:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.216:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.217:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.229:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.230:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.238:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.240:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.245:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.246:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.252:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.254:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.257:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.258:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.259:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.260:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.261:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.262:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.263:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.264:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.265:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.266:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.267:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.279:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.280:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.281:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.294:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.295:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.296:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.297:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.298:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.299:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.300:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.301:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.302:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.303:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.309:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.310:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.372:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.373:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.374:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.375:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.377:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.378:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.379:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.380:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.382:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.383:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.384:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.385:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.386:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.387:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.427:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.428:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.443:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.446:C:\Documents and Settings\mike smith\Application Data\Mozilla\Firefox\Profiles\fj7tnjbn.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.447:C:\Documents and Settings\mike smith\Appl

#9 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 29 March 2006 - 07:07 PM

The ewido log must have been too long to fit into the post.
Please skip the tracking cookies listings and post the bottom part of the report.

I'll look again, but the only thing I see in the silentrunners is a task scheduled by lop.
I expected to see it in the findlop text, not sure why it was missing.
It's pointing to a file we already removed so it's no longer working, but lets remove it anyway.

Open notepad and copy and paste the contents of the quote box below to notepad.
In notepad click file, then save as
Name it remjob.bat , change the save as type to all files
Place it on your desktop, then double click remjob.bat to run it.
Your script blocking service may popup a warning, please allow it to run.
A command window will open and close quickly, which is normal.

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h A5C7157491848E38.job
del A5C7157491848E38.job


Lets run a check for rootkits.
Download F-Secure BlackLight from this website.
Open Blacklight by double clicking blbeta.exe, accept the agreement, then click the scan button.
Click next when finished scanning, do not choose to rename any hidden files at this time, some may be legitimate.
Click next then exit. Post the contents of the blacklight log located in the folder with blbeta.exe.
It will be similar to fsbl-20060330005702.log.

Is IE still having popups? What website are you at and what do the popups say?
Posted Image
-----------Posted Image

#10 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 March 2006 - 08:39 PM

hello,

there were no hidden files when i ran that test and here is the rest of that text that cut off.





C:\Documents and Settings\mike smith\Local Settings\Temp\!update.exe -> Downloader.PurityScan.ax : Cleaned with backup
C:\drsmartloadb.exe -> Downloader.Adload.l : Cleaned with backup
C:\inrh9400.exe -> Downloader.Small.bke : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9683BBDE-D9E8-4D8C-8A17-B04386\26B5B113-6630-41A4-A88A-4C971F -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9683BBDE-D9E8-4D8C-8A17-B04386\2AC7DBE1-1BDC-4121-8460-2C9A68 -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9683BBDE-D9E8-4D8C-8A17-B04386\74AD393B-C78A-4761-9D68-04BCAB -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C72286A0-47E7-4B39-ABA4-4B37F0\452C6C5E-B2CA-424F-93A1-8C3739 -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C72286A0-47E7-4B39-ABA4-4B37F0\C53DA9D2-7A09-4E06-8BEA-D1C530 -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EA516602-07CA-466E-A31F-31192C\21858053-835B-4EB8-9312-0B7EFB -> Downloader.Qoologic.az : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EA516602-07CA-466E-A31F-31192C\6ADDC751-4FB4-402B-80AB-2F9C93 -> Downloader.Small : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EFF2DB4F-6601-4031-BDB4-3A8054\DC4F411D-4105-484B-A022-CFBC32 -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP764\A0087964.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP764\A0087994.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP764\A0088314.cpl -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP766\A0088618.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP767\A0088737.exe -> Adware.Lop : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP767\A0088738.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{62547E1F-265E-469B-A5ED-2D771DA6805D}\RP767\A0088931.exe -> Downloader.Adload.l : Cleaned with backup
C:\WINDOWS\z00096.exe -> Adware.VB : Cleaned with backup


IE wise. I didnt get any pop ups after just trying it now. :D I went to a nunber of site to see and i didnt get one so that is a good thing. When i was getting them i think some were party poker ones um and i think maybe something that started with a "W" and i remember sometimes credit card type pop ups would pop up if i had no browsers open and just sitting at my desktop. Hard to remember though i havent used it for a while.

#11 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 29 March 2006 - 09:54 PM

I tried going into safe mode as well and when i tried to go into safe mode it wouldnt go.


Have you tried safemode again?
This looks like the only issue left on your system.
I don't think it is caused by malware unless it is damage to system files they left behind.
We can run the system file checker, but it usually asks for you to insert your install cd into the drive when it runs. Do you have your xp install cd?

Click the start button on the taskbar, then click Run...
In the Run... box, type in or copy/paste the next line then click ok
sfc /scannow
notice the space after sfc
Allow it to run, it will replace any damaged system files found.


Try this small program to help boot into safemode.
Download Bootsafe, open the program and choose safeboot minimal.
Click the reboot button.

Any luck with these steps?
Posted Image
-----------Posted Image

#12 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 March 2006 - 02:57 PM

hello im on another computer in my house and the reason for that is because now my cpu wont start. It is back into a loop that i was in about 2 months ago when i went to msconfig and set a setting to start windows in safe mode. It goes through the normal startup then when it is about to reach the welcome page it goes to a blue screen real fast and then goes back to the start. Dont know how i got out of it last time but i managed to, however this time im not getting that type of luck.

I do have the windows xp disk so i ran the hidden file check then downloaded the program and clicked start in safe mode and restarted. and now im here. thats about it.

#13 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 30 March 2006 - 08:12 PM

Try this:
Restart the computer, after the computer beeps once but before the windows icon appears, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Start Windows Normally, then press Enter.

Any luck getting back to normal mode?

I have asked the experts here for suggestions on your problem.
Posted Image
-----------Posted Image

#14 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 March 2006 - 11:50 PM

Update,

i manged to fix it it wasnt the start windows normaly though that didnt work.

heres how i did it. I whent to DOS and whent to c:\windows>bootcfg /add, then added a boot.INI and started it up with that. Once i was on i whent to msconfig and unchecked the start in safe mode for the other boot.ini and dleted the program (bootsafe.exe or whatever it was) and restarted the computer and am now on the normal startup.

Im going to delet the other boot.INI later.


Still cant go into safe mode though but hey its back up and running.

And thats were i stand now.

#15 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 31 March 2006 - 12:18 AM

Hey, that's good news!
The question now is what's wrong with safemode.
The bootsafe program does the same thing as msconfig, it adds safeboot:minimal to the boot.ini.
Have you tried checking the boot paths in msconfig?
msconfig>boot.ini tab, click on Check All Boot Paths
Does that show any problems?
Posted Image
-----------Posted Image

#16 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 31 March 2006 - 02:55 PM

nope it says they are all ok.

#17 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 31 March 2006 - 08:24 PM

Lets take a look at the safemode registry key and see if we can spot any problems.

Open notepad, copy and paste the contents of the quote box below to notepad.
In notepad click file, then save as
Name it look.bat , change the save as type to all files
Place it on your desktop, then double click look.bat to run it.
A command window will open and close quickly, which is normal.
Copy the contents of key.txt that opens and paste it here in your next reply.

regedit /e key.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"
start notepad key.txt


Posted Image
-----------Posted Image

#18 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 31 March 2006 - 09:33 PM

here is the key.txt


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sharedaccess]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SYMTDI]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

#19 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 31 March 2006 - 11:51 PM

I compared your registry file to my system and I don't see any problem there.
I have done some research and think I may have found one possible culprit:
C:\Program Files\Ahead\InCD\InCD.exe

I have found several accounts of InCD causing this problem, not sure why.
Try uninstalling the program, then boot into safemode.
If that works, reinstall and see if the problem returns.

Any luck?
Posted Image
-----------Posted Image

#20 stupadso

stupadso

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 April 2006 - 01:38 AM

That was it, safe mode worked fine when i unistalled it and when i re-installed it, safe mode didnt work.
so when i need to start in safe mode i will just un-install it before i do it.


thanks for all your help.

#21 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 01 April 2006 - 08:45 PM

Your welcome. :D

I'm glad we solved that puzzle, I'll remember it next time it happens.
I do have a few suggestions for improving the security of your system.
You already have most areas covered with antivirus, a realtime antispyware scanner and Firefox browser.:thumbsup:

The following free programs will work in different areas than the ones you have.
Consider installing all of them.

If Norton Internet Security does not include a firewall, here are some free ones.

The xp firewall only blocks incoming connections which will allow any program or trojan on your system to connect without permission.
Most third party firewalls block incoming and outgoing unless you permit it.
Zone Alarm and Sunbelt Kerio Personal Firewall have free versions for personal use.

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
IE-SPYAD adds a long list of sites associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
Blocking Unwanted Parasites with a Hosts File

SpywareBlaster, IE-SPYAD and the Hosts file do not run in the background, just check for updates every few weeks.
Open spywareblaster and click check for updates then enable all protection.
Updates for IE-SPYAD and MVPS HOSTS are announced in the software forum at SpywareInfo.
Posted Image
-----------Posted Image

#22 JG427

JG427

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,020 posts

Posted 02 April 2006 - 08:46 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
-----------Posted Image




Member of UNITE
Support SpywareInfo Forum - click the button