Jump to content


Photo

Please view


  • This topic is locked This topic is locked
45 replies to this topic

#1 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 07 July 2006 - 01:10 PM

Hi,
Here is my Hijack This log. I have not had it reviewed for quite awhile, so I'm sure there's stuff that shouldn't be there. I have broadband yet my computer is SO slow. I appreciate any assistance. Just defraged & other rountine steps last week. THANKS!
Logfile of HijackThis v1.97.3
Scan saved at 1:55:17 PM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grasp!ware\Randy Jr\Randy Jr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\default\Local Settings\Temp\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Randy Jr] C:\Program Files\Grasp!ware\Randy Jr\Randy Jr
O4 - HKCU\..\Run: [NitroRAM] C:\Program Files\NitroRAM\NitroRAM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Morpheus Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 07 July 2006 - 09:44 PM

Bump

#3 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 08 July 2006 - 07:27 AM

bump

Most probably, you didn't read the FAQ, otherwise you would have known that bumping your posts/thread (- replying to your own posts without receiving help yet -) won't work to receive help in a faster way, on the contrary....
If you bump your posts/thread, you have to wait longer for help, because the helpers are trying to deal with the oldest logs first, and since you bumped your thread, it's in the beginning of the list again with the newest logs.
In case you have not received a response after three days, post a reply to the topic Not getting help with your log? with the link to your thread.

Edited by miekiemoes, 14 July 2006 - 06:46 AM.


#4 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 21 July 2006 - 03:53 AM

Hi Dabees, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

Your version of HijackThis is VERY outdated.
Please download the current version of 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Please save it in a convenient permanent folder such as C:\HJT\,
and be sure the next log is with the newer version.

I recommend you optionally uninstall Morpheus Toolbar. from their privacy page at http://www.morpheust...om/privacy.html it appears that it tracks your usage, and is adware
  • Providing products and services to users, including the display of customized content and advertising
To uninstall Morpheus Toolbar, go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Morpheus Toolbar

You are running two utilities to free or optimize your RAM. I suggest you decide which you really want to keep and remove one of them.
NitroRAM
FreeRAM XP


First download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • Run a complete system scan with ewido.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

You can optionally check the following entry. This is part of Microsoft Office located in your Startup folder, but it's not needed, and it's a resource hog:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

If you uninstalled Morpheus Toolbar as recommended, also check (if still there):
O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll
O9 - Extra button: Morpheus Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar (HKLM)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Do you know what program this is that's running at startup?
C:\Program Files\Grasp!ware\Randy Jr\Randy Jr

Restart your system.

Please post a new HijackThis log, and the log from ewido. Please be certain your log is with the new version of HijackThis.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#5 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 23 July 2006 - 08:17 AM

Thank you so much!
I could not find NitroRam to remove it. I did a search and everything.
Also, after I restarted my computer I got the message, "Debug Assertion Failed!" I didn't write down the entire message, but it referred to Natural Color.

Here is my new HiJack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 9:09:46 AM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Randy Jr] C:\Program Files\Grasp!ware\Randy Jr\Randy Jr
O4 - HKCU\..\Run: [NitroRAM] C:\Program Files\NitroRAM\NitroRAM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

And here is my log from ewido:
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:45:25 AM 7/23/2006

+ Scan result:



C:\Program Files\Microsoft AntiSpyware\Quarantine\E2C3AA13-4FC2-4584-AC70-386784\3B35C238-3700-4BDA-8995-A616A1 -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\General -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\URL1 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\URL2 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\URL3 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\URL4 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\URL5 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\eScorcher\debug -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\General -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\URL1 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\URL2 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\URL3 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\URL4 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\URL5 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\eScorcher\debug -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\General -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\URL1 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\URL2 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\URL3 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\URL4 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\URL5 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\eScorcher\debug -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\General -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\URL1 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\URL2 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\URL3 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\URL4 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\URL5 -> Adware.eScorcher : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\eScorcher\debug -> Adware.eScorcher : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\D270414F-B870-4575-80DF-0E4A87\1DB60826-9C16-409D-AF0D-9BF0EB -> Adware.EZula : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\D270414F-B870-4575-80DF-0E4A87\B49193FC-C0EE-4BDD-BDB6-55FBB7 -> Adware.EZula : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Hiwire -> Adware.HiWire : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Hiwire -> Adware.HiWire : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Hiwire -> Adware.HiWire : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Hiwire -> Adware.HiWire : Cleaned with backup (quarantined).
C:\unzipped\hijackthis\backup-20031208-165456-461.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\D270414F-B870-4575-80DF-0E4A87\3B6B3B2D-8F25-4984-B683-4D3652 -> Not-A-Virus.PSWTool.Win32.EZula.bf : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.192:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.129:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.130:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\8yvu30fp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.88:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@2o7[3].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.216:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.217:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.232:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\default\Cookies\default@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.145:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.147:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.272:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.273:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.275:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.276:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.209:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.210:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.211:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.219:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.111:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@s.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.244:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.191:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.256:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.267:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.290:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.207:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.249:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.282:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.126:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.226:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.227:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.229:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.230:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.231:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.232:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.234:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.236:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.238:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.239:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.240:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.224:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.225:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@lov.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.223:C:\Documents and Settings\default\Application Data\Phoenix\Profiles\default\jxfbplys.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\Will Leister\Application Data\Phoenix\Profiles\default\4ju13orh.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Will Leister\Cookies\will leister@zedo[3].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end

Thanks again. Really appreciate your assistance!
PS My son has a Jokerman tattooed on his leg!

#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 23 July 2006 - 03:28 PM

I could not find NitroRam to remove it.


There was no entry for it at Start > Control Panel > Add or Remove Programs?
Go to Start > Programs, and see if there is a program group for it there.
If there is, is there an uninstall shortcut there?
Do you want to remove it? NirtoRAM is shareware, did you ever register it?
If you want to remove it, and you are sure there was no removal utility, do this:
Download NitroRAM and save it to your Desktop.
Double-click the file to start the install. Be certain the install folder is:
C:\Program Files\NitroRAM
Restart your system.
Go to Start > Control Panel > Add or Remove Programs and see if there is an entry for it.
If there is, uninstall it.

Also, after I restarted my computer I got the message, "Debug Assertion Failed!" I didn't write down the entire message, but it referred to Natural Color.

That would seem to be a color utility for Samsung monitors. There was nothing I see that was removed from the folder it's in. It was running in your first log, and it's not now, although the entry to start it is still there. Have the colors changed any on your monitor? If not, you may want to uninstall it, as you had mentioned that the system was slow. Go to Start > Control Panel > Add or Remove Programs and see if there is an entry for it.

Please run HijackThis, click on "Open the Misc Tools section", and then on "Open Uninstall Manager". Click the "Save list" button, save the file uninstall_list.txt to your Desktop, and post the contents here for review.

Do you recognize this program?
C:\Program Files\Grasp!ware\Randy Jr\Randy Jr

Please go to VirusTotal and submit the following file for a scan and post the results in your next reply:
C:\Program Files\Grasp!ware\Randy Jr\Randy Jr <-- There was no file extension listed. This file probably ends in .exe, but might be .com. .bat, .scr, or some other executable extension.

Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:
  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Click Proceed.

3) To start the scan, Click > "Scan Now" at left
  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.
  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.
Please restart your system, and post a new HijackThis log, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#7 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 05 August 2006 - 11:54 AM

Due to the lack of feedback this Topic is closed.

Reopened

Edited by jedi, 16 August 2006 - 07:17 AM.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 16 August 2006 - 07:13 AM

Reopened at request of topic owner.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 16 August 2006 - 09:31 AM

Hi Dabees, and Welcome Back :)

Please work through the last set of instructions and post an updated HijackThis log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#10 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 17 August 2006 - 05:29 AM

Hi Dabees, and Welcome Back :)

Please work through the last set of instructions and post an updated HijackThis log.


First of all--you guys are awsome!

Nitroram--Could not find an entry and I don't remember ever registering it. I had a computer fix-it guy take care of some virus stuff awhile ago and he installed some anti-virus things. I don't know if he did it or not. That was about a year ago though.

The issue with the error message last time from Samsung--The only entry I saw was for Natural Color & I didn't remove that.

The Randy Jr program--yeh, I installed that. It was a little guy on my desktop that gave me words of wisdom. He got removed through the Ad-Aware run I think, because he's not there anymore. Should I not have him there?

Here is my uninstall list:
2000th FireStorm (Olympic version)
ABBYY FineReader 5.0 Sprint Plus
Adobe Reader 7.0.5
Advanced Searchbar
AIM Hell 2000 v³
ArcSoft PhotoImpression
ArcSoft Software Suite
CM DiskCleaner
CNET Download Manager
Dell Resolution Assistant
Dell ResourceCD
DellTouch
Dup Detector
EPSON CardMonitor
EPSON Copy Utility
EPSON EIC
EPSON ES CX6400 Manual
EPSON Photo Print
EPSON PhotoStarter3.0
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON TWAIN 5
EPSON USB Printer Devices
EPSON Web-To-Page
ewido anti-spyware 4.0
Flipside Account Wizard
FloorPlan 3D v7
FoneSync
Gangsters
Good Keywords v2.0.051406
Google Toolbar for Internet Explorer
GTK+ 2.6.8-1 runtime environment
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Software Update
iHP Manager VER 1.10
Image Search
Intel A/V Codecs V2.0
Internet Explorer Developer Toolbar
InterVideo WinDVD
iolo technologies' System Mechanic
iVocalize Web Conference 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.1_03
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_03
Java Web Start
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.0 (Symantec Corporation)
Logitech User's Guide
Macromedia Shockwave Player
Magic Starter 7th Edition Demo
Masque Blackjack Demo
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.1
Microsoft Interactive Training
Microsoft Office 2000 60 Minute Intranet Kit
Microsoft Office 2000 Disc 2
Microsoft Office Word Viewer 2003
Microsoft Office XP Professional
Microsoft Picture It! Publishing 2001
Microsoft SDK Update October 2002 (5.2.3718.1)
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Morpheus 5.2 (remove only)
mplayer.com
MSN Messenger 6.2
MSN Music Assistant
MSN Toolbar
Musicmatch® Jukebox
Napster v2.0 BETA 10.1
Napster v2.0 BETA 9.6
Natural Color
Network Play System (Patching)
NoAd HOSTS file (remove only)
NoteTab Light (Remove only)
NVIDIA Display Driver
Opera
PhoneTools
QuickTime
Randy Jr
Registry First Aid
Roxio CDEngine
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Self-help Subliminals
Shockwave
SHOUTcast Source DSP 1.8.2 (remove only)
Sierra Account Wizard
Social Security Benefit Calculator
Solution Center
Sound Blaster PCI128 Drivers
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Streaming Media Viewer
Symantec AntiVirus
The Cutting Edge
The Sims Deluxe Edition
Ultra Coaster demo
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
User's Guides
Vampire
VERITAS RecordNow DX
VERITAS RecordNow DX Update Manager
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 Beta 3
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip

Here is my newly run this morning hi-jack this log:
Logfile of HijackThis v1.97.3
Scan saved at 6:15:49 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\default\Local Settings\Temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

It's still running slow and another issue I just had--I setup a free website with Microsoft. When I went to access it, it said I didn't have cookies enabled--which I did. And also--it said I needed the 6. version of IE, when I tried to download it, it said it couldn't download because I had a newer version. So, I couldn't access the account I setup. I emailed Microsoft days ago, but have gotten no response.

Thanks a lot for your help!

#11 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 17 August 2006 - 08:44 PM

You still need to replace your version of HijackThis.
Your version of HijackThis is VERY outdated.
Please download the current version from:
http://www.spywarein.../HijackThis.exe
Please save it in a convenient permanent folder such as C:\HJT\,
and be sure the next log is with the newer version.

Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection:
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Next, open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.
You can re-enable it once your system is clean.
Better yet though, uninstall it (it's an old version), and replace it with Microsoft Windows Defender (they changed the name when it was updated).

The Randy Jr program--yeh, I installed that. It was a little guy on my desktop that gave me words of wisdom. He got removed through the Ad-Aware run I think, because he's not there anymore. Should I not have him there?

If Ad-Aware remove part of it, it should go.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs:
Advanced Searchbar
Randy Jr


Also uninstall these versions of Sun Java which are outdated.
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.1_03
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_03


Also uninstall these outdated programs.
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4


Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:
  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Click Proceed.

3) To start the scan, Click > "Scan Now" at left
  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.
  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
Next, if you do not already have it, please download Spybot Search & Destroy from here:
http://www.safer-net...load/index.html
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D.

Spybot Full Scan
Next, please run Spybot Search & Destroy.
Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems".

Next, download and install the current version of Sun Java.
  • Download the offline installer from HERE.
    • Accept the License Agreement
    • Select "Windows Offline Installation, Multi-language".
    • Save the file to your Desktop.
  • Install the new version by double-clicking on the file you downloaded.
Please post a new HijackThis log with the current version.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#12 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 August 2006 - 09:50 AM

Did all of the above. When I went to dowload Sun Java, there was a lot to choose from. I downloaded JDK 5.0 Update 8--hopefully this was the one you needed me to download.

Here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:46 AM, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\UNZIPPED\MOZILL~1.7-W\MOZILL~1\MOZILL~1.EXE
C:\Documents and Settings\default\Desktop\VIRUS STUFF\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

THANKS!

#13 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 19 August 2006 - 11:12 AM

When I went to dowload Sun Java, there was a lot to choose from. I downloaded JDK 5.0 Update 8--hopefully this was the one you needed me to download.

I had to change the link (that one was no longer working), and the current link for the page I wanted would now be:
http://javashoplm.su...sactionId=noreg

You didn't need the Java Development Kit, only the runtime envronment, but from your log it looks like it installed just fine.

Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#14 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 21 August 2006 - 05:30 AM

Does your problem appear resolved?
[/quote]

Yes, it seems to be running faster now. I got a message this morning though that my antivirus protection was expired. Do you have any suggestions for that? Also, whenever I tried to play a movie with quicktime, it either shows the icon broken or, after I reloaded quicktime, it has a question mark in it.
Thanks again!!!

#15 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 21 August 2006 - 06:42 PM

whenever I tried to play a movie with quicktime, it either shows the icon broken or, after I reloaded quicktime, it has a question mark in it.

I believe a Quicktime icon with a question mark over it means Quicktime is trying to play the file, but can't because it's encoded with an incompatable codec or the file is corrupt.

I got a message this morning though that my antivirus protection was expired. Do you have any suggestions for that?

Absolutely, and it will also probably speed up yous system, Since you have Norton AntiVirus, which has been known to slow some systems down. For a free antivirus, try AVG 7 Free available at http://free.grisoft....2/lng/us/tpl/v5 or Free avast! 4 Home Edition at http://www.avast.com...ast_4_home.html. Either one should work well.

First, download the antivirus you decide on so you have the installation file available on your hard disc.

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, then physically disconnect from the Internet and follow the instructions after uninstalling NAV:
How to uninstall Norton AntiVirus 2004/2005/2006 (note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002

Then install your new antivirus, reconnect to the Internet and immediately update the antivirus program.

After that, if you post a new HijackThis log, I'll check it for you.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#16 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 23 August 2006 - 10:38 AM

Well, I downloaded AVG before I realized I shouldn't have till I removed Symantec. So, I have not removed Symantec yet--the directions look complicated & was wondering if I should remove AVG & start over.
An issue I am concerned about right now is...AVG found a virus--C:\p2p.exe Trojan horse Dialer.22.AQ. When I right click & try to heal, move or delete, I get a message that says "Requested action not available for this object."
After today, I won't be able to get back to this forum to check it, so please don't disactivate me. I will be out in the boonies with no computer till the first part of September.
However, I will check back tonight just in case.
Thanks!!!

#17 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 23 August 2006 - 06:48 PM

If you already installed AVG, just go ahead and follow the instructions for removing Norton AntiVirus. You don't want both on the system at the same time, you can end up with less protection due to conflicts, not more.

Actually, once you print out the instructions from Symantec, you find that it's not really that complicated. It's easy to follow step by step instructions.

In the meantime, since AVG can't remove that file, try to remove it manually from Safe Mode:

Reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Once in Safe Mode, using Windows Explorer, delete C:\p2p.exe.
If you can't delete it, let me know.

After you remove Norton AntiVirus, please post a new HijackThis log, and also let me know if there are other files that AVG detects that it can't remove.

Don't worry, since you'll be away, I'll keep the topic open longer than normal. :)

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#18 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 September 2006 - 08:18 AM

Hi, I'm back & thanks for keeping this open. Before I left I removed p2p in Safe Mode.
Currently my computer is very slow and I am getting the following message:
Configuration Warning. An error occurred reading the startup configuration file. Please contact your administrator. prefs.js, line 44:Syntax Error: illegal character.
I click on OK & it gets me to where I am going, but slowly.
I still have not removed Norton. I'm going to look at the instructions & attempt it today.
Something's going on here. I dunno.
Thanks.

#19 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 02 September 2006 - 08:32 AM

Currently my computer is very slow and I am getting the following message:
Configuration Warning. An error occurred reading the startup configuration file. Please contact your administrator. prefs.js, line 44:Syntax Error: illegal character.


That would seem to be a Netscape error. If Netscape crashes, you can get that error. You can follow the instructions on the below page to attempt to edit the file, and if that doesn't work, there are also instructions for replacing the file with a backup.

http://home.att.net/...yntaxerror.html

After you address that problem, I would read this page on how to backup your Netscape profile:
http://home.att.net/...ckuprofile.html

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#20 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 September 2006 - 11:37 AM

Ok...Someone told me that my Mozilla Firebird browser was outdated and to download Firefox. I did that and the previously mentioned Configuration Warning disappeared.
I removed Symantec, but get a message that I am unprotected. Ignore? AVG is installed.
Here is my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:04 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\My Documents\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

THANKS!

#21 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,475 posts

Posted 03 September 2006 - 04:09 PM

I removed Symantec, but get a message that I am unprotected. Ignore? AVG is installed.

I would ignore it. It was probably a warning that you would be unprotected removing your Symantec software, but didn't take into consideration you might dare to use someone else's software :D

I see no malware in your log :)

Create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close
Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).
You need a software firewall. I didn't see one in your HijackThis log (the XP SP2 firewall isn't sufficient protection, it only checks incoming data). Two free firewalls are Sunbelt Kerio Personal Firewall available from http://www.sunbelt-s...e.com/Kerio.cfm, or Zone Alarm from zonelabs.com http://www.zonelabs....reeDownload.jsp. There is a tutorial on understanding firewalls at http://www.bleepingc...tutorial60.html.

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...p2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewa...uc/resource.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools...m/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywar...showtopic=60955

Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#22 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 September 2006 - 09:31 AM

Problems...I am using my computer at work to communicate with you.
I downloaded the programs you suggested yesterday. This morning I turned on my computer and got the error message: Microsoft C++ Debug Library Debug Assertion Failed Program: C:\Program Files\SEC\Natural Color\Natural Colorload.exe File: C\Work\NC2-20020220 & then it is garbled with other info.
I clicked retry and the computer froze. I had to manually shut it down. Back on--same message--this time I clicked ignore--computer froze. Manually shut down, this time my desktop came up white with Active Desktop Recovery. It froze & would not allow me to make it active. Manually shut down again.
Please help!!!!!! Thanks!!!

#23 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 09 September 2006 - 05:29 PM

Hello Dabees,

TheJoker is away at the moment, so I shall be standing in to help you.

Sorry to hear about your current difficulties. However as you are running Windows XP – we should be able to use a feature that allows you to revert your computer to a “Last Known Good Configuration”.

So, please:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the option for “Last Known Good Configuration” and allow Windows to boot up
This should as the name implies, restore your system to the state it was in before things went astray.

If this doesn’t work – try booting into Safe Mode using the method above only select the Safe Mode option when the menu appears.

Once you have managed to boot up, please could you post a fresh HijackThis log?

Thanks, I’ll look out for your reply.

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#24 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 September 2006 - 07:12 AM

A friend at work told me to reboot in safemode & go to restore. Which I did, but it only allowed me to choose 9-8 date. But I don't get the freeze up anymore. Here is my new hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 8:10:23 AM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\default\Desktop\VIRUS STUFF\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\My Documents\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks.,

#25 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 11 September 2006 - 05:37 PM

Hello again Dabees,

Glad to read that you have managed to restore your computer. Thanks too for posting an updated HijackThis log.

There aren't any entries showing up which would indicate any form of Malware, the only unusual entry is: O11 - Options group: [INTERNATIONAL] International*

This indicates that a non-default option has been added to the Advanced Options Tab in Internet Explorer. Can you tell me if either you or your Computer Administrator have added this entry?

Also, in order to see what else may be causing the problems you have been experiencing, could you please download OldTimer's Winpfind.

Unzip it to your desktop and double-click Winpfind.exe to run the scan.

Once the scan is finished, please CLOSE the Notepad window that pops up. Then please post the entire contents of the logfile winpfind.txt here for me.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#26 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 September 2006 - 07:12 AM

I don't know where the 011-options group International, etc. came from--should I remove it?
Meanwhile, I tried to download and run Winpfind. I got a message Winpfind file not found. I clicked ok and there was what looked like a notepad box come up. At the top there was an option to Start Scan, so I clicked on that. I got the hour glass for over an hour, so tried it before I went to bed. This morning the hour glass was still on it, so evidently it was not working.
My computer is running super slow now.

#27 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 15 September 2006 - 10:03 AM

Hi,

Sorry about that link not working - Lets try this >

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkbox for
    • HKCU_IEDesktop.def
    • Policies.def
    to select it.
  • Under File Options click Select All
  • Under Other Options put a check to both Show All boxes
  • Please maximize the window in order to be able to view the Status Bar.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report did fit into the post. If it did, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.
The O11 Options group isn't malicious - It is just non-standard. However, before doing anything else, lets see what the Winpfind shows us.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#28 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 15 September 2006 - 08:28 PM

After opening I got an error message "l/0 error 103." I clicked ok and tried it anyway. The Addon-Options box had nothing in it for me to click and select. I follow the rest of the instructions till I tried to Run All Scans. I received another error message "Access violation at address 00485F67 in module 'winpfind2.exe'. Read of address 00000004."
I clicked ok, clicked simple report, and nothing came up.
Something wacky going on with my computer.

#29 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 17 September 2006 - 06:00 AM

Hello Dabees,

We are looking into the error you have reported in trying to run WinPFind2, but whilst we are waiting, could you please download GMER Rootkit Scanner
  • Unzip it to your desktop
  • Double-Click on GMER.exe to open the program and click on the Rootkit tab
  • Make sure all the boxes on the right of the screen are checked, apart from Show All
  • Click on Scan
  • Once the scan has run click Copy and paste the results (if any) into this thread.
If you're having problems with running GMER.exe, try running it in Safe Mode, it works there where other rootkit scanners do not!

I'll look out for your reply.

:)

Edited by Chancellor, 17 September 2006 - 06:02 AM.

Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#30 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 17 September 2006 - 06:15 AM

Hi,

Just a quick follow up to the error you reported when trying to run WinPFind2.

The I/O error occurs when you try to run the program directly from the zip file.

Could you "unzip it to your Desktop" where it will create a folder from which you can then run it.

Could you please post the log into your next reply. You may find that if you try and post both the WinPFind and Gmer logs into the same thread, they will be cut short by the board software. If this happens, please just follow on with the remainder of the logs in a secont post.

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#31 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 17 September 2006 - 07:33 AM

Sorry about the hassle--I'm not the sharpest tack when it comes to these things.
Appreciate the help very, very much. Here are the logs:
Logfile created on: 09/17/2006 07:47
WinPFind2 by OldTimer - Version 1.0.9 Folder = C:\unzipped\winpfind2\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5450.4)


< All Processes >
c:\windows\system32\alg.exe - (Microsoft Corporation )
c:\program files\symantec\liveupdate\aluschedulersvc.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\appcore\appsvc32.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccapp.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccsvchst.exe - (Symantec Corporation )
\??\c:\windows\system32\csrss.exe - (Microsoft Corporation )
c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe - (SEIKO EPSON CORPORATION )
c:\program files\common files\epson\ebapi\eebsvc.exe - ( )
c:\windows\explorer.exe - (Microsoft Corporation )
c:\documents and settings\default\desktop\virus stuff\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
c:\program files\hp\hp software update\hpwuschd2.exe - (Hewlett-Packard Co. )
c:\program files\iriver\ihp100\ihpdetect.exe - (Reigncom, Jonadan Jeon )
c:\program files\java\jre1.5.0_08\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\windows\system32\lsass.exe - (Microsoft Corporation )
c:\program files\common files\microsoft shared\vs7debug\mdm.exe - (Microsoft Corporation )
c:\program files\musicmatch\musicmatch jukebox\mmtask.exe - (Musicmatch Inc. )
c:\program files\messenger\msmsgs.exe - (Microsoft Corporation )
c:\program files\sec\natural color\naturalcolorload.exe - ( )
c:\windows\system32\nvsvc32.exe - (NVIDIA Corporation )
c:\program files\quicktime\qttask.exe - (Apple Computer, Inc. )
c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
c:\windows\system32\services.exe - (Microsoft Corporation )
\systemroot\system32\smss.exe - (Microsoft Corporation )
c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe - (Symantec Corporation )
c:\windows\system32\wdfmgr.exe - (Microsoft Corporation )
\??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
c:\unzipped\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\progra~1\winzip\winzip32.exe - (WinZip Computing, Inc. )
c:\program files\common files\microsoft shared\works shared\wkcalrem.exe - (Microsoft® Corporation )
c:\program files\winzip\wzqkpick.exe - (WinZip Computing, Inc. )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKCU->Internet Explorer\\SearchURL - http://www.google.com
HKLM->Main\\Start Page - http://go.microsoft....cid={SUB_CLCID}
HKLM->Main\\Search Bar - http://ie.search.msn...st/srchasst.htm
HKLM->Main\\Search Page - http://go.microsoft....k/?LinkId=54896
HKLM->Main\\Default_Page_URL - http://go.microsoft....k/?LinkId=54729
HKLM->Main\\Default_Search_URL - http://go.microsoft....k/?LinkId=54896
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://www.msn.com/
HKCU->Main\\Search Bar - http://home.microsof...obby/search.asp
HKCU->Main\\Search Page - http://www.microsoft...amp;ar=iesearch
HKCU->Main\\Default_Search_URL -
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn...st/srchasst.htm
HKCU->Search\\SearchAssistant - http://ie.search.msn...st/srchcust.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{1E8A6170-7264-4D0F-BEAE-D42A53123C75} - Reg Data missing or invalid = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll (Symantec Corporation )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc. )
{9394EDE7-C8B5-483E-8773-474BF36AF6E4} - ST = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation )
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation )
{CC7E636D-39AA-49b6-B511-65413DA137A1} - IE DOM Explorer = C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation )
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
{A202B231-EF71-4a08-BDB9-4CE5AE8BDE0A} - IE DOM Explorer = C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{21569614-B795-46B1-85F4-E737A8DC09AD} - Shell Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{30D02401-6A81-11D0-8274-00C04FD5AE38} - IE Search Band = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File and Folders Search ActiveX Control = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{90222687-F593-4738-B738-FBEE9C7B26DF} - Show Norton Toolbar = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation )
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation )
{CC962137-2E78-4f94-975E-FC0C07DBD78F} - Developer Toolbar = C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation )
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar_en_2.0.113-big.dll (File not found))
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = Reg Data missing or invalid (File not found))

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8200 - Sun Java Console
{08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - 8192 - Reg Data missing or invalid
{119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - 8203 - Reg Data missing or invalid
{2FDEF853-0759-11D4-A92E-006097DBED37} - 8195 - Reg Data missing or invalid
{3369AF0D-62E9-4bda-8103-B4C75499B578} - 8201 - Reg Data missing or invalid
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - 8199 - Reg Data missing or invalid
{4B30061A-5B39-11D3-80F8-0090276F843F} - 8197 - Reg Data missing or invalid
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8202 - Reg Data missing or invalid
{5DA9DE80-097A-11D4-A92E-006097DBED37} - 8196 - Reg Data missing or invalid
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8198 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Windows Messenger
NextId - 8204

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc. )
{e2e2dd38-d088-4134-82b7-f2ba38496583} - MenuText: @xpsp3res.dll,-20001 = Reg Data missing or invalid (File not found))
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
&Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsearch.html (File not found))
Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add (File not found))
Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmbacklinks.html (File not found))
Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmcache.html (File not found))
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 (Microsoft Corporation )
Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (File not found))
Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmsimilar.html (File not found))
Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.113-big.dll/cmtrans.html (File not found))

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = Reg Data missing or invalid (File not found))
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{10020E84-840F-474A-9B5C-B043F0EBFC65} - iRivEncShlExt extension = C:\Program Files\iRiver\iHP100\iRivEncrypt.dll ( )
{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\SYSTEM32\NVSHELL.DLL (NVIDIA Corporation )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\SYSTEM32\NVSHELL.DLL (NVIDIA Corporation )
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} - = Reg Data missing or invalid (File not found))

[HKCU-> Approved Shell Extensions]
{0006F045-0000-0000-C000-000000000046} - Microsoft Outlook Custom Icon Handler = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL (Microsoft Corporation )
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL (Microsoft Corporation )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - iRivEncrypt - {10020E84-840F-474A-9B5C-B043F0EBFC65} = C:\Program Files\iRiver\iHP100\iRivEncrypt.dll ( )
* - Symantec.Norton.Antivirus.IEContextMenu - {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll (Symantec Corporation )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Folder - iRivEncrypt - {10020E84-840F-474A-9B5C-B043F0EBFC65} = C:\Program Files\iRiver\iHP100\iRivEncrypt.dll ( )
Folder - Symantec.Norton.Antivirus.IEContextMenu - {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll (Symantec Corporation )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\system32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\ccApp - "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation )
HKLM->Run\\EPSON Stylus CX6400 - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400" (SEIKO EPSON CORPORATION )
HKLM->Run\\HP Software Update - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co. )
HKLM->Run\\iHP-100 - C:\Program Files\iRiver\iHP100\iHPDetect.exe (Reigncom, Jonadan Jeon )
HKLM->Run\\iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (File not found))
HKLM->Run\\Microsoft Works Portfolio - C:\Program Files\Microsoft Works\WksSb.exe /AllUsers (Microsoft® Corporation )
HKLM->Run\\mmtask - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe (Musicmatch Inc. )
HKLM->Run\\NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (File not found))
HKLM->Run\\nwiz - nwiz.exe /install (NVIDIA Corporation )
HKLM->Run\\osCheck - "C:\Program Files\Norton Internet Security\osCheck.exe" (Symantec Corporation )
HKLM->Run\\QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->Run\\StorageGuard - "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r (VERITAS Software, Inc. )
HKLM->Run\\SunJavaUpdateSched - "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" (Sun Microsystems, Inc. )
HKLM->Run\\SystemTray - SysTray.Exe (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MSMSGS - "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation )

[Shell Execute Hooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{553858A7-4922-4e7e-B1C1-97140C1C16EF} - IE Component Categories cache daemon = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]
Session Manager\\PendingFileRenameOperations - \??\C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\SyKnAppS\6a136bea-4f57-4c8d-8d55-162a92cfd5a3_cohcol.wlt;

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]
Q312461 -

[>> Winlogon <<]
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{0D4DCA7A-2134-4A36-8E7B-5905BD533A41} - (3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible))
{5AC5B439-89CE-4BBF-9255-A55960A8724F} - ()

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< All Services >
Application Layer Gateway Service (ALG) - C:\WINDOWS\System32\alg.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in it's own process]
Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Automatic LiveUpdate Scheduler (Automatic LiveUpdate Scheduler) - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Symantec Event Manager (ccEvtMgr) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (Symantec Corporation ) [Automatic - Running - Win32, running in a shared process]
Symantec Settings Manager (ccSetMgr) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (Symantec Corporation ) [Automatic - Running - Win32, running in a shared process]
Symantec Lic NetConnect service (CLTNetCnService) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (Symantec Corporation ) [Automatic - Running - Win32, running in a shared process]
Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DCOM Server Process Launcher (DcomLaunch) - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
EpsonBidirectionalService (EpsonBidirectionalService) - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe ( ) [Automatic - Running - Win32, running in it's own process]
EPSON Printer Status Agent2 (EPSONStatusAgent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION ) [Automatic - Running - Win32, running in it's own process]
Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Event Log (Eventlog) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
ewido anti-spyware 4.0 guard (ewido anti-spyware 4.0 guard) - C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Machine Debug Manager (MDM) - "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
NVIDIA Display Driver Service (NVSvc) - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation ) [Automatic - Running - Win32, running in it's own process]
Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
IPSEC Services (PolicyAgent) - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Remote Registry (RemoteRegistry) - C:\WINDOWS\system32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Symantec Core LC (Symantec Core LC) - "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (Symantec Corporation ) [On Demand - Running - Win32, running in it's own process]
Symantec AppCore Service (SymAppCore) - "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Terminal Services (TermService) - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Themes (Themes) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
WebClient (WebClient) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]

< Files >

%SystemDrive%
C:\sql2kasp3.exe - UPX! (InstallShield Software Corporation [Ver = 2.04.001 | Size = 45668000 bytes | Date = 03/09/2003 15:20 | Attr = ])

%ProgramFilesDir%
C:\Program Files\msdemo_en.exe - FSG! (Wizards of the Coast [Ver = | Size = 45495033 bytes | Date = 05/29/2003 12:56 | Attr = ])
C:\Program Files\GunzInternational_20050706.exe - PEC2 ( [Ver = | Size = 138280280 bytes | Date = 07/21/2005 00:44 | Attr = ])

%WinDir%
C:\WINDOWS\vsapi32.dll - UPX! (Trend Micro Inc. [Ver = 6.640-1001 | Size = 923136 bytes | Date = 10/06/2003 21:28 | Attr = ])
C:\WINDOWS\vsapi32.dll - aspack (Trend Micro Inc. [Ver = 6.640-1001 | Size = 923136 bytes | Date = 10/06/2003 21:28 | Attr = ])

%System%
C:\WINDOWS\SYSTEM32\supporter5.exe - aspack ( [Ver = | Size = 227080 bytes | Date = 04/07/2002 16:44 | Attr = ])
C:\WINDOWS\SYSTEM32\azip32.dll - UPX! (littleBIGware [Ver = 0.72 | Size = 57856 bytes | Date = 07/25/2000 23:51 | Attr = ])
C:\WINDOWS\SYSTEM32\imscan.dll - UPX! (Panda Software [Ver = 1, 8, 0, 24 | Size = 422400 bytes | Date = 10/11/2001 05:04 | Attr = ])
C:\WINDOWS\SYSTEM32\imscan.dll - PEC2 (Panda Software [Ver = 1, 8, 0, 24 | Size = 422400 bytes | Date = 10/11/2001 05:04 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - PECompact2 (Microsoft Corporation [Ver = 1.20.1625.0 | Size = 8960936 bytes | Date = 09/11/2006 12:37 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - aspack (Microsoft Corporation [Ver = 1.20.1625.0 | Size = 8960936 bytes | Date = 09/11/2006 12:37 | Attr = ])
C:\WINDOWS\SYSTEM32\dfrg.msc - PEC2 ( [Ver = | Size = 41397 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\ntdll.dll - aspack (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 708096 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_26.dll - aspack (Microsoft Corporation [Ver = 9.07.239.0000 | Size = 2297552 bytes | Date = 05/26/2005 15:34 | Attr = ])
C:\WINDOWS\SYSTEM32\LegitCheckControl.dll - PTech (Microsoft Corporation [Ver = 1.5.0540.0 | Size = 571184 bytes | Date = 06/19/2006 16:19 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - WSUD (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\rasdlg.dll - Umonitor (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 657920 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\iv4.dll - aspack ( [Ver = | Size = 1105920 bytes | Date = 05/09/2006 21:10 | Attr = ])
C:\WINDOWS\SYSTEM32\WgaTray.exe - PTech (Microsoft Corporation [Ver = 1.5.0540.0 | Size = 304944 bytes | Date = 06/19/2006 16:19 | Attr = ])
C:\WINDOWS\SYSTEM32\ntbackup.exe - WSUD (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1200128 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\Incinerator.dll - aspack (iolo technologies, LLC [Ver = 3.7.3.0 | Size = 309248 bytes | Date = 06/04/2002 16:48 | Attr = ])

%System%\Drivers folder and sub-folders
C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys - PTech (Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Date = 08/04/2004 00:41 | Attr = ])

%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\bootstat.dat - ( [Ver = | Size = 2048 bytes | Date = 09/16/2006 22:17 | Attr = S])
C:\WINDOWS\QTFont.qfn - ( [Ver = | Size = 54156 bytes | Date = 09/13/2006 08:36 | Attr = H ])
C:\WINDOWS\SYSTEM32\vsconfig.xml - ( [Ver = | Size = 48882 bytes | Date = 09/10/2006 07:28 | Attr = H ])
C:\WINDOWS\SYSTEM32\zllictbl.dat - ( [Ver = | Size = 4212 bytes | Date = 09/08/2006 08:31 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\system.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 07:10 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 07:29 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 07:10 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 07:09 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 07:10 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/14/2006 11:45 | Attr = H ])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 - ( [Ver = | Size = 94 bytes | Date = 09/03/2006 10:12 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1 - ( [Ver = | Size = 128 bytes | Date = 09/03/2006 10:13 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 - ( [Ver = | Size = 216 bytes | Date = 09/14/2006 09:32 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 - ( [Ver = | Size = 216 bytes | Date = 09/14/2006 09:32 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 - ( [Ver = | Size = 688 bytes | Date = 09/03/2006 10:12 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1 - ( [Ver = | Size = 70226 bytes | Date = 09/03/2006 10:13 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 - ( [Ver = | Size = 18 bytes | Date = 09/14/2006 09:32 | Attr = S])
C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 - ( [Ver = | Size = 21083 bytes | Date = 09/14/2006 09:32 | Attr = S])
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat - ( [Ver = | Size = 23751 bytes | Date = 07/28/2006 07:16 | Attr = S])
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat - ( [Ver = | Size = 10925 bytes | Date = 07/21/2006 04:03 | Attr = S])
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat - ( [Ver = | Size = 10337 bytes | Date = 07/27/2006 09:00 | Attr = S])
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922582.cat - ( [Ver = | Size = 11749 bytes | Date = 08/21/2006 08:00 | Attr = S])
C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred - ( [Ver = | Size = 24 bytes | Date = 09/03/2006 10:15 | Attr = HS])
C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\ac45305f-829c-47ee-b43c-405f9cf9485b - ( [Ver = | Size = 388 bytes | Date = 09/03/2006 10:15 | Attr = HS])
C:\WINDOWS\TASKS\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 09/16/2006 22:18 | Attr = H ])
C:\WINDOWS\TASKS\{6258DA41-4A4A-443E-BF92-E46E4CF82C57}_Default.job - ( [Ver = | Size = 340 bytes | Date = 09/13/2006 16:40 | Attr = H ])
C:\WINDOWS\page files\maxmeg.sys - ( [Ver = | Size = 1025 bytes | Date = 09/26/2029 10:05 | Attr = HS])
CPL files -
C:\WINDOWS\SYSTEM32\nvtuicpl.cpl - (NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 73728 bytes | Date = 10/06/2003 14:16 | Attr = ])
C:\WINDOWS\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 5.0.80.3 | Size = 49265 bytes | Date = 07/26/2006 03:03 | Attr = ])
C:\WINDOWS\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 618496 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 04:16 | Attr = ])
C:\WINDOWS\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 549888 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\netsetup.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 94208 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 7.00.5450.4 (winmain(wmbla).060623-0309) | Size = 1402368 bytes | Date = 06/23/2006 05:41 | Attr = ])
C:\WINDOWS\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 114688 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) | Size = 32768 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 155136 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 380416 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wscui.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 148480 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\firewall.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 80384 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\bthprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 110592 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 04:16 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl - (Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) | Size = 32768 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 549888 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 80384 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 110592 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\joy.cpl - (Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl - (Microsoft Corporation [Ver = 7.00.5450.4 (winmain(wmbla).060623-0309) | Size = 1402368 bytes | Date = 06/23/2006 05:41 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl - (Microsoft Corporation [Ver = 5.1.4111.00 (xpsp_sp2_rtm.040803-2158) | Size = 155648 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 155136 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 380416 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 618496 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 114688 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 03/31/2003 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 94208 bytes | Date = 08/04/2004 02:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 148480 bytes | Date = 08/04/2004 02:56 | Attr = ])

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Date = 09/23/2005 22:05 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 09/04/2003 14:45 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (Microsoft® Corporation [Ver = 6.00.1828.1 | Size = 24633 bytes | Date = 06/29/2000 16:15 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe ( [Ver = 2, 0, 1, 1 | Size = 155715 bytes | Date = 04/12/2002 14:39 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Resolution Assistant.lnk - C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe (Motive Communications, Inc. [Ver = 3.02.01.20000518_111104 | Size = 143360 bytes | Date = 05/18/2000 11:56 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 118784 bytes | Date = 04/25/2003 09:00 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\default\Start Menu\Programs\Startup
C:\Documents and Settings\default\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 09/04/2003 14:45 | Attr = HS])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe
Wininit.ini: Line 1 - [rename]
Wininit.ini: Line 2 - NUL=C:\WINDOWS\TEMP\WINNT32.EXE
Wininit.ini: Line 3 - DIRNUL=C:\PROGRA~1\Intel\CREATE~1\program\UNINST~1
Wininit.ini: Line 4 - DIRNUL=C:\PROGRA~1\Intel\CREATE~1\program\REALIT~1
Wininit.ini: Line 5 - NUL=c:\windows\aolunins.exe
WinStart.bat: Line 1 - @C:\WINDOWS\tmpcpyis.bat
DosStart.bat: Line 1 - @echo off
DosStart.bat: Line 3 - REM Notes:
DosStart.bat: Line 4 - REM DOSSTART.BAT is run whenenver you choose "Restart the computer
DosStart.bat: Line 5 - REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
DosStart.bat: Line 6 - REM you to load programs that you might not want loaded in Windows,
DosStart.bat: Line 7 - REM (because they have functional equ

#32 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 17 September 2006 - 07:39 AM

Cont.
Windows
DosStart.bat: Line 11 - REM and MS-DOS should be placed in the Autoexec.bat in the
DosStart.bat: Line 12 - REM \Image directory of your reference server. Please note that for
DosStart.bat: Line 13 - REM MSCDEX you will need to load the corresponding real-mode CD
DosStart.bat: Line 14 - REM driver in Config.sys. This driver won't be used by Windows 98
DosStart.bat: Line 15 - REM but will be available prior to and after Windows 98 exits.
DosStart.bat: Line 16 - REM
DosStart.bat: Line 17 - REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
DosStart.bat: Line 18 - REM before Windows loads and access the CD-ROM. All you have to do
DosStart.bat: Line 19 - REM is press F8 and then run DOSSTART to load MSCDEX and your real
DosStart.bat: Line 20 - REM mode mouse driver (no need to remember the command line parameters
DosStart.bat: Line 21 - REM for these two files.
DosStart.bat: Line 22 - REM
DosStart.bat: Line 23 - REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
DosStart.bat: Line 24 - REM - The string following the /D: statement must explicitly match
DosStart.bat: Line 25 - REM the string in CONFIG.SYS following your CD-ROM device driver.
DosStart.bat: Line 27 - REM MSCDEX.EXE /D:OEMCD001 /l:d
DosStart.bat: Line 28 - REM MOUSE.EXE
Config.nt: Line 1 - REM Windows MS-DOS Startup File
Config.nt: Line 2 - REM
Config.nt: Line 3 - REM CONFIG.SYS vs CONFIG.NT
Config.nt: Line 4 - REM CONFIG.SYS is not used to initialize the MS-DOS environment.
Config.nt: Line 5 - REM CONFIG.NT is used to initialize the MS-DOS environment unless a
Config.nt: Line 6 - REM different startup file is specified in an application's PIF.
Config.nt: Line 7 - REM
Config.nt: Line 8 - REM ECHOCONFIG
Config.nt: Line 9 - REM By default, no information is displayed when the MS-DOS environment
Config.nt: Line 10 - REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
Config.nt: Line 11 - REM the command echoconfig to CONFIG.NT or other startup file.
Config.nt: Line 12 - REM
Config.nt: Line 13 - REM NTCMDPROMPT
Config.nt: Line 14 - REM When you return to the command prompt from a TSR or while running an
Config.nt: Line 15 - REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
Config.nt: Line 16 - REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
Config.nt: Line 17 - REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
Config.nt: Line 18 - REM other startup file.
Config.nt: Line 19 - REM
Config.nt: Line 20 - REM DOSONLY
Config.nt: Line 21 - REM By default, you can start any type of application when running
Config.nt: Line 22 - REM COMMAND.COM. If you start an application other than an MS-DOS-based
Config.nt: Line 23 - REM application, any running TSR may be disrupted. To ensure that only
Config.nt: Line 24 - REM MS-DOS-based applications can be started, add the command dosonly to
Config.nt: Line 25 - REM CONFIG.NT or other startup file.
Config.nt: Line 26 - REM
Config.nt: Line 27 - REM EMM
Config.nt: Line 28 - REM You can use EMM command line to configure EMM(Expanded Memory Manager).
Config.nt: Line 29 - REM The syntax is:
Config.nt: Line 30 - REM
Config.nt: Line 31 - REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
Config.nt: Line 32 - REM
Config.nt: Line 33 - REM AltRegSets
Config.nt: Line 34 - REM specifies the total Alternative Mapping Register Sets you
Config.nt: Line 35 - REM want the system to support. 1 <= AltRegSets <= 255. The
Config.nt: Line 36 - REM default value is 8.
Config.nt: Line 37 - REM BaseSegment
Config.nt: Line 38 - REM specifies the starting segment address in the Dos conventional
Config.nt: Line 39 - REM memory you want the system to allocate for EMM page frames.
Config.nt: Line 40 - REM The value must be given in Hexdecimal.
Config.nt: Line 41 - REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
Config.nt: Line 42 - REM 16KB boundary. The default value is 0x4000
Config.nt: Line 43 - REM RAM
Config.nt: Line 44 - REM specifies that the system should only allocate 64Kb address
Config.nt: Line 45 - REM space from the Upper Memory Block(UMB) area for EMM page frames
Config.nt: Line 46 - REM and leave the rests(if available) to be used by DOS to support
Config.nt: Line 47 - REM loadhigh and devicehigh commands. The system, by default, would
Config.nt: Line 48 - REM allocate all possible and available UMB for page frames.
Config.nt: Line 49 - REM
Config.nt: Line 50 - REM The EMM size is determined by pif file(either the one associated
Config.nt: Line 51 - REM with your application or _default.pif). If the size from PIF file
Config.nt: Line 52 - REM is zero, EMM will be disabled and the EMM line will be ignored.
Config.nt: Line 53 - REM
Config.nt: Line 54 - dos=high, umb
Config.nt: Line 55 - device=%SystemRoot%\system32\himem.sys
Config.nt: Line 56 - files=40
AutoExec.nt: Line 1 - @echo off
AutoExec.nt: Line 3 - REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
AutoExec.nt: Line 4 - REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
AutoExec.nt: Line 5 - REM different startup file is specified in an application's PIF.
AutoExec.nt: Line 7 - REM Install CD ROM extensions
AutoExec.nt: Line 8 - lh %SystemRoot%\system32\mscdexnt.exe
AutoExec.nt: Line 10 - REM Install network redirector (load before dosx.exe)
AutoExec.nt: Line 11 - lh %SystemRoot%\system32\redir
AutoExec.nt: Line 13 - REM Install DPMI support
AutoExec.nt: Line 14 - lh %SystemRoot%\system32\dosx
AutoExec.nt: Line 16 - REM The following line enables Sound Blaster 2.0 support on NTVDM.
AutoExec.nt: Line 17 - REM The command for setting the BLASTER environment is as follows:
AutoExec.nt: Line 18 - REM SET BLASTER=A220 I5 D1 P330
AutoExec.nt: Line 19 - REM where:
AutoExec.nt: Line 20 - REM A specifies the sound blaster's base I/O port
AutoExec.nt: Line 21 - REM I specifies the interrupt request line
AutoExec.nt: Line 22 - REM D specifies the 8-bit DMA channel
AutoExec.nt: Line 23 - REM P specifies the MPU-401 base I/O port
AutoExec.nt: Line 24 - REM T specifies the type of sound blaster card
AutoExec.nt: Line 25 - REM 1 - Sound Blaster 1.5
AutoExec.nt: Line 26 - REM 2 - Sound Blaster Pro I
AutoExec.nt: Line 27 - REM 3 - Sound Blaster 2.0
AutoExec.nt: Line 28 - REM 4 - Sound Blaster Pro II
AutoExec.nt: Line 29 - REM 6 - SOund Blaster 16/AWE 32/32/64
AutoExec.nt: Line 30 - REM
AutoExec.nt: Line 31 - REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
AutoExec.nt: Line 32 - REM left unspecified, the default value will be used. (NOTE, since all the
AutoExec.nt: Line 33 - REM ports are virtualized, the information provided here does not have to
AutoExec.nt: Line 34 - REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
AutoExec.nt: Line 35 - REM The T switch must be set to 3, if specified.
AutoExec.nt: Line 36 - SET BLASTER=A220 I5 D1 P330 T3
AutoExec.nt: Line 38 - REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
AutoExec.nt: Line 39 - REM SB base I/O port address. For example:
AutoExec.nt: Line 40 - REM SET BLASTER=A0
AutoExec.nt: Line 42 - REM
AutoExec.nt: Line 43 - REM *************************************************
AutoExec.nt: Line 44 - REM ** Lines below this have been migrated from the
AutoExec.nt: Line 45 - REM ** original Windows Millennium Edition settings.
AutoExec.nt: Line 46 - REM *************************************************
AutoExec.nt: Line 47 - REM
AutoExec.nt: Line 49 - SET windir=C:\WINDOWS
AutoExec.nt: Line 50 - SET winbootdir=C:\WINDOWS
AutoExec.nt: Line 51 - SET COMSPEC=C:\WINDOWS\SYSTEM32\COMMAND.COM
AutoExec.nt: Line 52 - SET PROMPT=$p$g
AutoExec.nt: Line 53 - SET TEMP=C:\WINDOWS\TEMP
AutoExec.nt: Line 54 - SET TMP=C:\WINDOWS\TEMP
AutoExec.nt: Line 56 - SET DXSDKROOT=C:\Program Files\Microsoft SDK\.
AutoExec.nt: Line 58 - PATH=C:\PROGRA~1\COMMON~1\OPSESS~1\VIEWER~1;C:\PROGRA~1\COMMON~1\OPSESS~1\SHARED;C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN;C:\WINDOWS\COMMAND;C:\WINDOWS;C:\WINDOWS\system32
AutoExec.bat: Line 1 - SET windir=C:\WINDOWS
AutoExec.bat: Line 2 - SET winbootdir=C:\WINDOWS
AutoExec.bat: Line 3 - SET COMSPEC=C:\WINDOWS\COMMAND.COM
AutoExec.bat: Line 4 - SET PROMPT=$p$g
AutoExec.bat: Line 5 - SET TEMP=C:\WINDOWS\TEMP
AutoExec.bat: Line 6 - SET TMP=C:\WINDOWS\TEMP
AutoExec.bat: Line 7 - SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN;C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN;C:\PROGRA~1\COMMON~1\OPSESS~1\SHARED;C:\PROGRA~1\COMMON~1\OPSESS~1\VIEWER~1
AutoExec.bat: Line 8 - SET DXSDKROOT=C:\Program Files\Microsoft SDK\.

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 09/04/2003 14:35 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1751 bytes | Date = 08/23/2006 13:42 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\default\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 09/04/2003 14:35 | Attr = HS])
C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 79656 bytes | Date = 09/16/2006 09:03 | Attr = ])
C:\Documents and Settings\default\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 03/11/2003 07:56 | Attr = ])
C:\Documents and Settings\default\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini - ( [Ver = | Size = 9216 bytes | Date = 07/01/2006 21:39 | Attr = ])
C:\Documents and Settings\default\Application Data\ntl.nws - ( [Ver = | Size = 1401 bytes | Date = 06/25/2003 18:26 | Attr = ])
C:\Documents and Settings\default\Application Data\ntl.ini - ( [Ver = | Size = 157 bytes | Date = 08/07/2003 14:14 | Attr = ])
C:\Documents and Settings\default\Application Data\dw.log - ( [Ver = | Size = 172 bytes | Date = 06/27/2003 20:02 | Attr = ])
C:\Documents and Settings\default\Application Data\fusioncache.dat - ( [Ver = | Size = 75 bytes | Date = 07/18/2003 16:07 | Attr = ])
C:\Documents and Settings\default\Application Data\IconCache.db - ( [Ver = | Size = 2640138 bytes | Date = 04/22/2005 15:55 | Attr = H ])

Program Files Folder
C:\Program Files\folder.htt - ( [Ver = | Size = 23357 bytes | Date = 10/13/2000 16:56 | Attr = H ])
C:\Program Files\desktop.ini - ( [Ver = | Size = 271 bytes | Date = 10/13/2000 16:56 | Attr = HS])
C:\Program Files\fbimage.zip - ( [Ver = | Size = 10498 bytes | Date = 04/22/2003 12:41 | Attr = ])
C:\Program Files\arttoday.zip - ( [Ver = | Size = 132557 bytes | Date = 02/03/2002 19:07 | Attr = ])
C:\Program Files\swolf504.exe - ( [Ver = | Size = 2579098 bytes | Date = 07/24/2002 13:56 | Attr = ])
C:\Program Files\hexfader.zip - ( [Ver = | Size = 18423 bytes | Date = 04/22/2003 12:41 | Attr = ])
C:\Program Files\DX81NTeng.exe - (Microsoft Corporation [Ver = 5.1.2600.901 | Size = 7902576 bytes | Date = 08/05/2002 17:12 | Attr = ])
C:\Program Files\DX81eng.exe - (Microsoft Corporation [Ver = 4.08.01.0901 | Size = 12147056 bytes | Date = 08/05/2002 17:19 | Attr = ])
C:\Program Files\MSWINERR.ZIP - ( [Ver = | Size = 62787 bytes | Date = 08/11/2002 09:10 | Attr = ])
C:\Program Files\o2ksr1a.exe - (Microsoft Corporation [Ver = 4.71.1015.0 | Size = 169560 bytes | Date = 10/30/2002 07:44 | Attr = ])
C:\Program Files\mfc42.zip - ( [Ver = | Size = 452451 bytes | Date = 11/17/2002 08:03 | Attr = ])
C:\Program Files\ds7e.zip - ( [Ver = | Size = 1075176 bytes | Date = 02/09/2003 03:12 | Attr = ])
C:\Program Files\ie6setup.exe - (Microsoft Corporation [Ver = 6.00.2800.1106 | Size = 490608 bytes | Date = 02/19/2003 13:27 | Attr = ])
C:\Program Files\becSetup.exe - ( [Ver = | Size = 112180 bytes | Date = 04/22/2003 18:25 | Attr = ])
C:\Program Files\wzbeta90.exe - ( [Ver = | Size = 2311136 bytes | Date = 05/25/2003 22:16 | Attr = ])
C:\Program Files\setup_blazemp.exe - ( [Ver = | Size = 14689760 bytes | Date = 05/25/2003 13:45 | Attr = ])
C:\Program Files\klcodec203f.exe - ( [Ver = | Size = 7798213 bytes | Date = 05/25/2003 18:24 | Attr = ])
C:\Program Files\msdemo_en.exe - (Wizards of the Coast [Ver = | Size = 45495033 bytes | Date = 05/29/2003 12:56 | Attr = ])
C:\Program Files\Firefox Setup 1.0.5.exe - (Mozilla [Ver = 3, 12, 0, 0 | Size = 4877784 bytes | Date = 07/19/2005 17:40 | Attr = ])
C:\Program Files\GunzInternational_20050706.exe - ( [Ver = | Size = 138280280 bytes | Date = 07/21/2005 00:44 | Attr = ])

Common Files Folder

DPF files
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macr...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\SYSTEM\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file (Non-Standard entries only). File size = 27031 bytes. C:\WINDOWS\System32\drivers\etc\Hosts
0.0.0.0 www.doubleclick.net -
0.0.0.0 ad.preferances.com -
0.0.0.0 ad.doubleclick.com -
0.0.0.0 ad.doubleclick.net #remove this for atomfilms problems -
0.0.0.0 ad.preferences.com -
0.0.0.0 ad.washingtonpost.com -
0.0.0.0 adpick.switchboard.com -
0.0.0.0 ads.doubleclick.com -
0.0.0.0 ads.infospace.com -
0.0.0.0 ads.switchboard.com -
0.0.0.0 ads.enliven.com -
0.0.0.0 oz.valueclick.com -
0.0.0.0 doubleclick.net -
0.0.0.0 ads.doubleclick.net -
0.0.0.0 ad2.doubleclick.net -
0.0.0.0 ad3.doubleclick.net -
0.0.0.0 ad4.doubleclick.net -
0.0.0.0 ad5.doubleclick.net -
0.0.0.0 ad6.doubleclick.net -
0.0.0.0 ad7.doubleclick.net -
0.0.0.0 ad8.doubleclick.net -
0.0.0.0 ad9.doubleclick.net -
0.0.0.0 ad10.doubleclick.net -
0.0.0.0 ad11.doubleclick.net -
0.0.0.0 ad12.doubleclick.net -
0.0.0.0 ad13.doubleclick.net -
0.0.0.0 ad14.doubleclick.net -
0.0.0.0 ad15.doubleclick.net -
0.0.0.0 ad16.doubleclick.net -
0.0.0.0 ad17.doubleclick.net -
0.0.0.0 ad18.doubleclick.net -
0.0.0.0 ad19.doubleclick.net -
0.0.0.0 ad20.doubleclick.net -
0.0.0.0 ad.ch.doubleclick.net -
0.0.0.0 ad.linkexchange.com -
0.0.0.0 banner.linkexchange.com -
0.0.0.0 ads.imdb.com -
0.0.0.0 commonwealth.riddler.com -
0.0.0.0 globaltrak.net -
0.0.0.0 nrsite.com -
0.0.0.0 www.nrsite.com -
0.0.0.0 ad-up.com -
0.0.0.0 ad.adsmart.net -
0.0.0.0 ad.atlas.cz -
0.0.0.0 ad.blm.net -
0.0.0.0 ad.dogpile.com -
0.0.0.0 ad.infoseek.com -
0.0.0.0 ad.net-service.de -
0.0.0.0 ad.vol.at -
0.0.0.0 adbot.com -
0.0.0.0 adbureau.net -
0.0.0.0 adcount.hollywood.com -
0.0.0.0 add.yaho.com -
0.0.0.0 adex3.flycast.com -
0.0.0.0 adforce.adtech.de -
0.0.0.0 adforce.imgis.com -
0.0.0.0 adimage.blm.net -
0.0.0.0 adlink.deh.de -
0.0.0.0 ads.criticalmass.com -
0.0.0.0 ads.csi.emcweb.com -
0.0.0.0 ads.filez.com -
0.0.0.0 ads.imagine-inc.com -
0.0.0.0 ads.imdb.com -
0.0.0.0 ads.jwtt3.com -
0.0.0.0 ads.mirrormedia.co.uk -
0.0.0.0 ads.narrowline.com -
0.0.0.0 ads.newcitynet.com -
0.0.0.0 ads.realcities.com -
0.0.0.0 ads.realmedia.com -
0.0.0.0 ads.tripod.com -
0.0.0.0 ads.usatoday.com -
0.0.0.0 ads.washingtonpost.com -
0.0.0.0 ads.web.de -
0.0.0.0 ads.web21.com -
0.0.0.0 adserv.newcentury.net -
0.0.0.0 adservant.guj.de -
0.0.0.0 adservant.mediapoint.de -
0.0.0.0 adserver-espnet.sportszone.com -
0.0.0.0 advert.heise.de -
0.0.0.0 banners.internetextra.com -
0.0.0.0 bannerswap.com -
0.0.0.0 dino.mainz.ibm.de -
0.0.0.0 ganges.imagine-inc.com -
0.0.0.0 globaltrack.com -
0.0.0.0 207-87-18-203.wsmg.digex.net -
0.0.0.0 Garden.ngadcenter.net -
0.0.0.0 Ogilvy.ngadcenter.net -
0.0.0.0 ResponseMedia-ad.flycast.com -
0.0.0.0 Suissa-ad.flycast.com -
0.0.0.0 UGO.eu-adcenter.net -
0.0.0.0 VNU.eu-adcenter.net -
0.0.0.0 ad-adex3.flycast.com -
0.0.0.0 ad.ca.doubleclick.net -
0.0.0.0 ad.de.doubleclick.net -
0.0.0.0 ad.fr.doubleclick.net -
0.0.0.0 ad.jp.doubleclick.net -
0.0.0.0 ad.linksynergy.com -
0.0.0.0 ad.nl.doubleclick.net -
0.0.0.0 ad.no.doubleclick.net -
0.0.0.0 ad.sma.punto.net -
0.0.0.0 ad.uk.doubleclick.net -
0.0.0.0 ad.webprovider.com -
0.0.0.0 ad08.focalink.com -
0.0.0.0 adcontroller.unicast.com -
0.0.0.0 adcreatives.imaginemedia.com -
0.0.0.0 adforce.ads.imgis.com -
0.0.0.0 adfu.blockstackers.com -
0.0.0.0 adimages.earthweb.com -
0.0.0.0 adimg.egroups.com -
0.0.0.0 admedia.xoom.com -
0.0.0.0 adremote.pathfinder.com -
0.0.0.0 ads.admaximize.com -
0.0.0.0 ads.bfast.com -
0.0.0.0 ads.clickhouse.com -
0.0.0.0 ads.fairfax.com.au -
0.0.0.0 ads.fool.com -
0.0.0.0 ads.freshmeat.net -
0.0.0.0 ads.hollywood.com -
0.0.0.0 ads.i33.com -
0.0.0.0 ads.infi.net -
0.0.0.0 ads.link4ads.com -
0.0.0.0 ads.madison.com -
0.0.0.0 ads.mediaodyssey.com -
0.0.0.0 ads.ninemsn.com.au -
0.0.0.0 ads.seattletimes.com -
0.0.0.0 ads.smartclicks.com -
0.0.0.0 ads.smartclicks.net -
0.0.0.0 ads.sptimes.com -
0.0.0.0 ads.x10.com -
0.0.0.0 ads.xtra.co.nz -
0.0.0.0 ads.zdnet.com -
0.0.0.0 ads01.focalink.com -
0.0.0.0 ads02.focalink.com -
0.0.0.0 ads03.focalink.com -
0.0.0.0 ads04.focalink.com -
0.0.0.0 ads05.focalink.com -
0.0.0.0 ads06.focalink.com -
0.0.0.0 ads08.focalink.com -
0.0.0.0 ads09.focalink.com -
0.0.0.0 ads1.activeagent.at -
0.0.0.0 ads10.focalink.com -
0.0.0.0 ads11.focalink.com -
0.0.0.0 ads12.focalink.com -
0.0.0.0 ads14.focalink.com -
0.0.0.0 ads16.focalink.com -
0.0.0.0 ads17.focalink.com -
0.0.0.0 ads18.focalink.com -
0.0.0.0 ads19.focalink.com -
0.0.0.0 ads2.zdnet.com -
0.0.0.0 ads20.focalink.com -
0.0.0.0 ads21.focalink.com -
0.0.0.0 ads22.focalink.com -
0.0.0.0 ads23.focalink.com -
0.0.0.0 ads24.focalink.com -
0.0.0.0 ads25.focalink.com -
0.0.0.0 ads3.zdnet.com -
0.0.0.0 ads5.gamecity.net -
0.0.0.0 adserv.iafrica.com -
0.0.0.0 adserv.quality-channel.de -
0.0.0.0 adserver.dbusiness.com -
0.0.0.0 adserver.garden.com -
0.0.0.0 adserver.janes.com -
0.0.0.0 adserver.merc.com -
0.0.0.0 adserver.monster.com -
0.0.0.0 adserver.track-star.com -
0.0.0.0 adserver1.ogilvy-interactive.de -
0.0.0.0 adtegrity.spinbox.net -
0.0.0.0 antfarm-ad.flycast.com -
0.0.0.0 au.ads.link4ads.com -
0.0.0.0 banner.media-system.de -
0.0.0.0 banner.orb.net -
0.0.0.0 banner.relcom.ru -
0.0.0.0 banners.easydns.com -
0.0.0.0 banners.looksmart.com -
0.0.0.0 banners.wunderground.com -
0.0.0.0 barnesandnoble.bfast.com -
0.0.0.0 beseenad.looksmart.com -
0.0.0.0 bizad.nikkeibp.co.jp -
0.0.0.0 bn.bfast.com -
0.0.0.0 c3.xxxcounter.com -
0.0.0.0 califia.imaginemedia.com -
0.0.0.0 cds.mediaplex.com -
0.0.0.0 click.avenuea.com -
0.0.0.0 click.go2net.com -
0.0.0.0 click.linksynergy.com -
0.0.0.0 cookies.cmpnet.com -
0.0.0.0 cornflakes.pathfinder.com -
0.0.0.0 crux.songline.com -
0.0.0.0 erie.smartage.com -
0.0.0.0 etad.telegraph.co.uk -
0.0.0.0 fp.valueclick.com -
0.0.0.0 gadgeteer.pdamart.com -
0.0.0.0 gm.preferences.com -
0.0.0.0 gp.dejanews.com -
0.0.0.0 image.click2net.com -
0.0.0.0 image.eimg.com -
0.0.0.0 images2.nytimes.com -
0.0.0.0 jobkeys.ngadcenter.net -
0.0.0.0 kansas.valueclick.com -
0.0.0.0 leader.linkexchange.com -
0.0.0.0 liquidad.narrowcastmedia.com -
0.0.0.0 ln.doubleclick.net -
0.0.0.0 m.doubleclick.net -
0.0.0.0 macaddictads.snv.futurenet.com -
0.0.0.0 maximumpcads.imaginemedia.com -
0.0.0.0 media.preferences.com -
0.0.0.0 mercury.rmuk.co.uk -
0.0.0.0 mojofarm.sjc.mediaplex.com -
0.0.0.0 nbc.adbureau.net -
0.0.0.0 newads.cmpnet.com -
0.0.0.0 ng3.ads.warnerbros.com -
0.0.0.0 ngads.smartage.com -
0.0.0.0 nsads.hotwired.com -
0.0.0.0 ntbanner.digitalriver.com -
0.0.0.0 ph-ad05.focalink.com -
0.0.0.0 ph-ad07.focalink.com -
0.0.0.0 ph-ad16.focalink.com -
0.0.0.0 ph-ad17.focalink.com -
0.0.0.0 ph-ad18.focalink.com -
0.0.0.0 realads.realmedia.com -
0.0.0.0 redherring.ngadcenter.net -
0.0.0.0 redirect.click2net.com -
0.0.0.0 retaildirect.realmedia.com -
0.0.0.0 s2.focalink.com -
0.0.0.0 sh4sure-images.adbureau.net -
0.0.0.0 spin.spinbox.net -
0.0.0.0 static.admaximize.com -
0.0.0.0 stats.superstats.com -
0.0.0.0 sview.avenuea.com -
0.0.0.0 thinknyc.eu-adcenter.net -
0.0.0.0 tracker.clicktrade.com -
0.0.0.0 tsms-ad.tsms.com -
0.0.0.0 v0.extreme-dm.com -
0.0.0.0 v1.extreme-dm.com -
0.0.0.0 van.ads.link4ads.com -
0.0.0.0 view.accendo.com -
0.0.0.0 view.avenuea.com -
0.0.0.0 web2.deja.com -
0.0.0.0 webads.bizservers.com -
0.0.0.0 www.PostMasterBannerNet.com -
0.0.0.0 www.ad-up.com -
0.0.0.0 www.admex.com -
0.0.0.0 www.alladvantage.com -
0.0.0.0 www.burstnet.com -
0.0.0.0 www.commission-junction.com -
0.0.0.0 www.eads.com -
0.0.0.0 www.freestats.com -
0.0.0.0 www.imaginemedia.com -
0.0.0.0 www.netdirect.nl -
0.0.0.0 www.oneandonlynetwork.com -
0.0.0.0 www.targetshop.com -
0.0.0.0 www.teknosurf2.com -
0.0.0.0 www.teknosurf3.com -
0.0.0.0 www.valueclick.com -
0.0.0.0 www.websitefinancing.com -
0.0.0.0 www2.burstnet.com -
0.0.0.0 www4.trix.net -
0.0.0.0 www80.valueclick.com -
0.0.0.0 z.extreme-dm.com -
0.0.0.0 z0.extreme-dm.com -
0.0.0.0 z1.extreme-dm.com -
0.0.0.0 ads.forbes.net -
0.0.0.0 ads.newcity.com -
0.0.0.0 ads.ign.com -
0.0.0.0 adserver.ign.com -
0.0.0.0 ads.scifi.com -
0.0.0.0 adengine.theglobe.com -
0.0.0.0 ads.tucows.com -
0.0.0.0 adcontent.gamespy.com -
0.0.0.0 ads4.advance.net -
0.0.0.0 ads1.advance.net -
0.0.0.0 eur.yimg.com -
0.0.0.0 us.a1.yimg.com -
0.0.0.0 ad.harmony-central.com -
0.0.0.0 sg.yimg.com -
0.0.0.0 adverity.adverity.com -
0.0.0.0 ads.bloomberg.com -
0.0.0.0 mojofarm.mediaplex.com -
0.0.0.0 ads.mysimon.com -
0.0.0.0 adimages.go.com -
0.0.0.0 ad.kimo.com.tw -
0.0.0.0 ads.paxnet.co.kr -
0.0.0.0 ads.paxnet.com -
0.0.0.0 ads.admonitor.net -
0.0.0.0 ads.nytimes.com -
0.0.0.0 ads.erotism.com -
0.0.0.0 banner.rootsweb.com -
0.0.0.0 ads.ole.com -
0.0.0.0 adimg1.chosun.com -
0.0.0.0 ss.mtree.com -
0.0.0.0 adpulse.ads.targetnet.com -
0.0.0.0 adserver.ugo.com -
0.0.0.0 ad.sales.olympics.com -
0.0.0.0 m2.doubleclick.net -
0.0.0.0 ph-ad21.focalink.com -
0.0.0.0 focusin.ads.targetnet.com -
0.0.0.0 www.datais.com -
0.0.0.0 oas.mmd.ch -
0.0.0.0 pub-g.ifrance.com -
0.0.0.0 ads.bianca.com -
0.0.0.0 wap.adlink.de -
0.0.0.0 click.adlink.de -
0.0.0.0 banner.adlink.de -
0.0.0.0 hurricane.adlink.de -
0.0.0.0 west.adlink.de -
0.0.0.0 scand.adlink.de -
0.0.0.0 regio.adlink.de -
0.0.0.0 direct.adlink.de -
0.0.0.0 classic.adlink.de -
0.0.0.0 adlui001.adlink.de -
0.0.0.0 banner1.adlink.de -
0.0.0.0 click.mp3.com -
0.0.0.0 adcodes.bla-bla.com -
0.0.0.0 icover.realmedia.com -
0.0.0.0 ca.fp.sandpiper.net -
0.0.0.0 adfarm.mediaplex.com -
0.0.0.0 ads.tmcs.net -
0.0.0.0 amedia.techies.com -
0.0.0.0 www.exchange-it.com -
0.0.0.0 www.ad.tomshardware.com -
0.0.0.0 ad.tomshardware.com -
0.0.0.0 ads.currantbun.com -
0.0.0.0 phoenix-adrunner.mycomputer.com -
0.0.0.0 ads15.focalink.com -
0.0.0.0 ads13.focalink.com -
0.0.0.0 adserver.colleges.com -
0.0.0.0 ads.nwsource.com -
0.0.0.0 ads.guardianunlimited.co.uk -
0.0.0.0 ads.newsint.co.uk -
0.0.0.0 ads.starnews.com -
0.0.0.0 www.linksynergy.com -
0.0.0.0 ieee-images.adbureau.net -
0.0.0.0 connect.247media.ads.link4ads.com -
0.0.0.0 ads.newsdigital.net -
0.0.0.0 ads.discovery.com -
0.0.0.0 im.800.com -
0.0.0.0 img.cmpnet.com -
0.0.0.0 ad7.internetadserver.com -
0.0.0.0 ads.dai.net -
0.0.0.0 ads.cbc.ca -
0.0.0.0 www75.valueclick.com -
0.0.0.0 ads.clearbluemedia.com -
0.0.0.0 ti.click2net.com -
0.0.0.0 www.onresponse.com -
0.0.0.0 ads.list-universe.com -
0.0.0.0 advert.bayarea.com -
0.0.0.0 www3.pagecount.com -
0.0.0.0 www.netsponsors.com -
0.0.0.0 adthru.com -
0.0.0.0 ads.newtimes.com -
0.0.0.0 ads.ugo.com -
0.0.0.0 ads.belointeractive.com -
0.0.0.0 comtrack.comclick.com #french start -
0.0.0.0 www.24pm-affiliation.com -
0.0.0.0 www.click-fr.com -
0.0.0.0 www.cibleclick.com -
0.0.0.0 reply.mediatris.net -
0.0.0.0 cgi.declicnet.com -
0.0.0.0 pubs.mgn.net #french end -
0.0.0.0 ads.mcafee.com -
0.0.0.0 ads1.ad-flow.com -
0.0.0.0 ad.be.doubleclick.net -
0.0.0.0 ad.adtraq.com -
0.0.0.0 ad.sg.doubleclick.net #nl -
0.0.0.0 adpop.theglobe.com -
0.0.0.0 ads-03.tor.focusin.ads.targetnet.com -
0.0.0.0 ads.adflight.com -
0.0.0.0 ads.detelefoongids.nl -
0.0.0.0 ads.ecircles.com -
0.0.0.0 ads.god.co.uk -
0.0.0.0 ads.hyperbanner.net -
0.0.0.0 ads.jpost.com -
0.0.0.0 ads.netmechanic.com -
0.0.0.0 ads.webcash.nl -
0.0.0.0 adserver.netcast.nl -
0.0.0.0 adserver.webads.com -
0.0.0.0 adserver.webads.nl -
0.0.0.0 adserver1.realtracker.com -
0.0.0.0 adserver2.realtracker.com -
0.0.0.0 adserver3.realtracker.com -
0.0.0.0 delivery1.ads.telegraaf.nl -
0.0.0.0 holland.hyperbanner.net -
0.0.0.0 images.webads.nl -
0.0.0.0 sc.clicksupply.com -
0.0.0.0 www.ad4ex.com -
0.0.0.0 www.bannercampaign.com -
0.0.0.0 www.cyberbounty.com -
0.0.0.0 www.netvertising.be -
0.0.0.0 www.speedyclick.com -
0.0.0.0 www.webads.nl #nl end -
0.0.0.0 ads.snowball.com -
0.0.0.0 ads.amazingmedia.com -
0.0.0.0 www10.valueclick.com -
0.0.0.0 mt37.mtree.com -
0.0.0.0 ads.gameanswers.com -
0.0.0.0 ads7.udc.advance.net -
0.0.0.0 www23.valueclick.com -
0.0.0.0 ads.fortunecity.com -
0.0.0.0 banners.nextcard.com -
0.0.0.0 ads.iwon.com -
0.0.0.0 ads-b.focalink.com -
0.0.0.0 ad2.peel.com -
0.0.0.0 ads.floridatoday.com -
0.0.0.0 stats.adultrevenueservice.com -
0.0.0.0 ads18.bpath.com -
0.0.0.0 ph-ad06.focalink.com -
0.0.0.0 global.msads.net -
0.0.0.0 pluto1.iserver.net -
0.0.0.0 ads1.intelliads.com -
0.0.0.0 primetime.ad.asap-asp.net -
0.0.0.0 ads.stileproject.com -
0.0.0.0 www.blissnet.net -
0.0.0.0 www.consumerinfo.com -
0.0.0.0 ads.rottentomatoes.com -
0.0.0.0 k5ads.osdn.com -
0.0.0.0 actionsplash.com -
0.0.0.0 campaigns.f2.com.au #au -
0.0.0.0 adserver.news.com.au #au -
0.0.0.0 servedby.advertising.com -
0.0.0.0 ad.howstuffworks.com -
0.0.0.0 ads.1for1.com -
0.0.0.0 images.ads.fairfax.com.au -
0.0.0.0 ads.devx.com -
0.0.0.0 utils.mediageneral.com -
0.0.0.0 banners.friendfinder.com -
0.0.0.0 adserver.matchcraft.com -
0.0.0.0 www.dnps.com -
0.0.0.0 creative.whi.co.nz -
0.0.0.0 rmedia.boston.com -
0.0.0.0 webaffiliate.covad.com -
0.0.0.0 ad.iwin.com -
0.0.0.0 www.nailitonline2.com -
0.0.0.0 mds.centrport.net -
0.0.0.0 oas.dispatch.com -
0.0.0.0 adserver.ads360.com -
0.0.0.0 banners.adultfriendfinder.com -
0.0.0.0 ads.as4x.tmcs.net -
0.0.0.0 ads.clickagents.com -
0.0.0.0 banners.chek.com -
0.0.0.0 zi.r.tv.com -
0.0.0.0 ph-ad19.focalink.com -
0.0.0.0 ads.greensboro.com -
0.0.0.0 ad2.adcept.net -
0.0.0.0 ads.colo.kiva.net -
0.0.0.0 adsrv.iol.co.za -
0.0.0.0 mjxads.internet.com -
0.0.0.0 adimage.asiaone.com.sg -
0.0.0.0 ads.vnuemedia.com -
0.0.0.0 affiliate.doteasy.com -
0.0.0.0 m.tribalfusion.com -
0.0.0.0 oas.lee.net -
0.0.0.0 www.banneroverdrive.com -
0.0.0.0 ad3.peel.com -
0.0.0.0 ad1.peel.comwww.xbn.ru -
0.0.0.0 adserver.snowball.com -
0.0.0.0 media15.fastclick.net -
0.0.0.0 ads5.advance.net -
0.0.0.0 ads3.advance.net -
0.0.0.0 ads2.advance.net -
0.0.0.0 ads.advance.net -
0.0.0.0 usbytecom.orbitcycle.com -
0.0.0.0 adbanner.sweepsclub.com -
0.0.0.0 oas.villagevoice.com -
0.0.0.0 www.ad-flow.com -
0.0.0.0 ads.guardian.co.uk -
0.0.0.0 ads.hitcents.com -
0.0.0.0 media19.fastclick.net -
0.0.0.0 a.tribalfusion.com -
0.0.0.0 ads.nypost.com -
0.0.0.0 ads.premiumnetwork.com -
0.0.0.0 ads.ad-flow.com -
0.0.0.0 adserver.hispavista.com -
0.0.0.0 ads.musiccity.com -
0.0.0.0 banners.revenuelink.com -
0.0.0.0 ads1.sptimes.com -
0.0.0.0 adserver.bizland-inc.net -
0.0.0.0 ads.adtegrity.net -
0.0.0.0 media13.fastclick.net -
0.0.0.0 adserver.ukplus.co.uk -
0.0.0.0 ads.live365.com -
0.0.0.0 ads.fredericksburg.com -
0.0.0.0 banners.affiliatefuel.com -
0.0.0.0 ar.atwola.com -
0.0.0.0 ads.bigcitytools.com -
0.0.0.0 netshelter.adtrix.com -
0.0.0.0 y.ibsys.com -
0.0.0.0 adserver.nydailynews.com -
0.0.0.0 s0b.bluestreak.com -
0.0.0.0 images.scripps.com -
0.0.0.0 images.cybereps.com -
0.0.0.0 altfarm.mediaplex.com -
0.0.0.0 krd.realcities.com -
0.0.0.0 www3.bannerspace.com -
0.0.0.0 view.atdmt.com -
0.0.0.0 ads7.advance.net -
0.0.0.0 ad.abcnews.com -
0.0.0.0 ads.newsquest.co.uk -
0.0.0.0 secure.webconnect.net -
0.0.0.0 ads.nandomedia.com -
0.0.0.0 banners.babylon-x.com -
0.0.0.0 media17.fastclick.net -
0.0.0.0 techreview-images.adbureau.net -
0.0.0.0 ads.exhedra.com -
0.0.0.0 ad.trafficmp.com -
0.0.0.0 banner.northsky.com -
0.0.0.0 ftp.nacorp.com -
0.0.0.0 www.digitalbettingcasinos.com #popunder -
0.0.0.0 c1.zedo.com -
0.0.0.0 ads4.condenet.com -
0.0.0.0 www.brilliantdigital.com -
0.0.0.0 desktop.kazaa.com -
0.0.0.0 shop.kazaa.com -
0.0.0.0 www.bonzi.com -
0.0.0.0 www.b3d.com -
0.0.0.0 neighborhood.standard.net -
0.0.0.0 ads.telegraph.co.uk -
0.0.0.0 spinbox.techtracker.com -
0.0.0.0 toads.osdn.com -
0.0.0.0 ads.themes.org -
0.0.0.0 adserver.trb.com -
0.0.0.0 media.fastclick.net -
0.0.0.0 banner.easyspace.com -
0.0.0.0 www.banner2u.com -
0.0.0.0 ads.thestar.com -
0.0.0.0 ads.digitalmedianet.com -
0.0.0.0 www.fineclicks.com -
0.0.0.0 ads.mdchoice.com -
0.0.0.0 ad.horvitznewspapers.net -
0.0.0.0 adtegrity.thruport.com -
0.0.0.0 a.mktw.net -
0.0.0.0 ads.pennyweb.com -
0.0.0.0 www3.ad.tomshardware.com -
0.0.0.0 www4.ad.tomshardware.com -
0.0.0.0 www6.ad.tomshardware.com -
0.0.0.0 www8.ad.tomshardware.com -
0.0.0.0 www15.ad.tomshardware.com -
0.0.0.0 ads.forbes.com -
0.0.0.0 ads.desmoinesregister.com -
0.0.0.0 adserver.tribuneinteractive.com -
0.0.0.0 bannerads.anytimenews.com -
0.0.0.0 ads1.condenet.com -
0.0.0.0 adserver.anm.co.uk -
0.0.0.0 zrap.zdnet.com.com -
0.0.0.0 bidclix.net -
0.0.0.0 media.popuptraffic.com -
0.0.0.0 coreg.flashtrack.net -
0.0.0.0 ads.icq.com #icq -
0.0.0.0 cb.icq.com -
0.0.0.0 cf.icq.com #end icq -
0.0.0.0 www2.newtopsites.com -
0.0.0.0 adserv.internetfuel.com -
0.0.0.0 images.fastclick.net -
0.0.0.0 adserver.securityfocus.com -
0.0.0.0 www.avsads.com -
0.0.0.0 banners.moviegoods.com -
0.0.0.0 ads.bitsonthewire.com -
0.0.0.0 ads.iambic.com -
0.0.0.0 sfads.osdn.com -
0.0.0.0 fl01.ct2.comclick.com -
0.0.0.0 adserver.phillyburbs.com -
0.0.0.0 marketing.nyi.net -
0.0.0.0 www.netflip.com -
0.0.0.0 ads.viaarena.com -
0.0.0.0 phpads2.cnpapers.com -
0.0.0.0 ads.astalavista.us -
0.0.0.0 banner.coza.com -
0.0.0.0 adcreative.tribuneinteractive.com -
0.0.0.0 ads.democratandchronicle.com -
0.0.0.0 adlog.com.com -
0.0.0.0 adimg.com.com -
0.0.0.0 adimage.bankrate.com -
0.0.0.0 ads.mediadevil.com -
0.0.0.0 imageserv.adtech.de -
0.0.0.0 ad.se.doubleclick.net -
0.0.0.0 ads.cashsurfers.com -
0.0.0.0 ads.specificpop.com -
0.0.0.0 z1.adserver.com -
0.0.0.0 images.bizrate.com -
0.0.0.0 q.pni.com -
0.0.0.0 ad01.mediacorpsingapore.com -
0.0.0.0 adimage.asia1.com.sg -
0.0.0.0 images.newsx.cc -
0.0.0.0 www.adireland.com -
0.0.0.0 ads.iafrica.com -
0.0.0.0 ads.nyi.net -
0.0.0.0 geoads.osdn.com -
0.0.0.0 www.crisscross.com -
0.0.0.0 netcomm.spinbox.net -
0.0.0.0 ads.videoaxs.com -
0.0.0.0 mediamgr.ugo.com -
0.0.0.0 adserver.pollstar.com -
0.0.0.0 information.gopher.com -
0.0.0.0 ads.adviva.net -
0.0.0.0 adsrv.bankrate.com -
0.0.0.0 a207.p.f.qz3.net -
0.0.0.0 speed.pointroll.com -
0.0.0.0 amch.questionmarket.com -
0.0.0.0 spd.atdmt.com -
0.0.0.0 ads.columbian.com -
0.0.0.0 vpdc.ru4.com -
0.0.0.0 ads.developershed.com -
0.0.0.0 ads.globeandmail.com -
0.0.0.0 ads.nerve.com -
0.0.0.0 iv.doubleclick.net -
0.0.0.0 ads2.condenet.com -
0.0.0.0 www.burstnet.com -
0.0.0.0 ads5.canoe.ca -
0.0.0.0 askmen.thruport.com -
0.0.0.0 adsrv2.gainesvillesun.com -
0.0.0.0 ads.theolympian.com -
0.0.0.0 ads.courierpostonline.com -
0.0.0.0 oasads.whitepages.com -
0.0.0.0 serve.thisbanner.com -
0.0.0.0 images.trafficmp.com -
0.0.0.0 www.kaplanindex.com -
0.0.0.0 kaplanindex.com -
0.0.0.0 1.httpdads.com -
0.0.0.0 spinbox.maccentral.com -
0.0.0.0 akaads-abc.starwave.com -
0.0.0.0 webad.ajeeb.com -
0.0.0.0 ads.granadamedia.com -
0.0.0.0 oas.uniontrib.com -
0.0.0.0 ads.wnd.com -
0.0.0.0 a3.suntimes.com -
0.0.0.0 tmsads.tribune.com -
0.0.0.0 ads.peel.com -
0.0.0.0 ads.mh5.com -
0.0.0.0 ad.usatoday.com -
0.0.0.0 adserver.digitalpartners.com -
0.0.0.0 ads.mediaturf.net -
0.0.0.0 ads4.clearchannel.com -
0.0.0.0 ads.clearchannel.com -
0.0.0.0 ads2.clearchannel.com -
0.0.0.0 ads.jacksonsun.com -
0.0.0.0 servads.aip.org -
0.0.0.0 ad.au.doubleclick.net -
0.0.0.0 adng.ascii24.com -
0.0.0.0 engage.speedera.net -
0.0.0.0 ads.msn-ppe.com -
0.0.0.0 ad.openfind.com.tw -
0.0.0.0 adi.mainichi.co.jp -
0.0.0.0 ads.northjersey.com -
0.0.0.0 ad.moscowtimes.ru -
0.0.0.0 banners.valuead.com -
0.0.0.0 ad1.aaddzz.com -
0.0.0.0 ds.eyeblaster.com -
0.0.0.0 adserver.digitalpartners.com -
0.0.0.0 ads.statesmanjournal.com -
0.0.0.0 ads.centralohio.com -
0.0.0.0 adteg.mii-img.adjuggler.com -
0.0.0.0 ads.pno.net -
0.0.0.0 ads.humorbua.no -
0.0.0.0 www.popupad.net -
0.0.0.0 xads.cliks.org -
0.0.0.0 ptrads.mp3.com -
0.0.0.0 utils.media-general.com -
0.0.0.0 ad.sensismediasmart.com.au -
0.0.0.0 speed.pointroll.com -
0.0.0.0 mirror.pointroll.com -
0.0.0.0 ad1.gamezone.com -
0.0.0.0 ad.tbn.ru -
0.0.0.0 q.azcentral.com -
0.0.0.0 bell.adcentriconline.com -
0.0.0.0 pub1.branchez-vous.com -
0.0.0.0 pub2.branchez-vous.com -
0.0.0.0 pub3.branchez-vous.com -
0.0.0.0 gcirm.tennessean.com -
0.0.0.0 adsnew.userfriendly.org -
0.0.0.0 oas-central.realmedia.com -
0.0.0.0 realmedia-a800.d4p.net -
0.0.0.0 ad.aboutwebservices.com -
0.0.0.0 ads6.advance.net -
0.0.0.0 ads2.mysanantonio.com -
0.0.0.0 adsrv2.wilmingtonstar.com -
0.0.0.0 adsrv.heraldtribune.com -
0.0.0.0 www.xupiter.com -
0.0.0.0 www.paypopup.com -
0.0.0.0 www1.paypopup.com -
0.0.0.0 www2.paypopup.com -
0.0.0.0 www3.paypopup.com -
0.0.0.0 www4.paypopup.com -
0.0.0.0 xupiter.com -
0.0.0.0 ads.autotrader.com -
0.0.0.0 oasde.springstreetnetworks.com -
0.0.0.0 ad.espn.starwave.com -
0.0.0.0 ssads.osdn.com -
0.0.0.0 gcirm.theleafchronicle.com -
0.0.0.0 ads3.hpg.com.br -
0.0.0.0 imads.rediff.com -
0.0.0.0 admin.digitalacre.com -
0.0.0.0 http.content.ru4.com -
0.0.0.0 promote.pair.com -
0.0.0.0 images.allposters.com -
0.0.0.0 cache.bizrate.com -
0.0.0.0 anandtech.bizrate.com -
0.0.0.0 click.payserve.com -
0.0.0.0 click.holland-billing.com -
0.0.0.0 banner1.spotbroker.com -
0.0.0.0 adult.foxcounter.com -
0.0.0.0 imgserv.adbutler.com -
0.0.0.0 ad.inetfast.com -
0.0.0.0 red01.as-us.falkag.net -
0.0.0.0 a.as-us.falkag.net -
0.0.0.0 gcirm.centralohio.com -
0.0.0.0 ar9.atwola.com -
0.0.0.0 a.websponsors.com -
0.0.0.0 banners.affiliatefuture.com -
0.0.0.0 ads2.newtimes.com -
0.0.0.0 ad1.zendmedia.com -
0.0.0.0 ads.ipowerweb.com -
0.0.0.0 ads.centerstage.net -
0.0.0.0 ads.heraldsun.com -
0.0.0.0 images.gorillanation.com -
0.0.0.0 ads.danni.com -
0.0.0.0 media.pointroll.com -
0.0.0.0 banners.directnic.com -
0.0.0.0 banners.linkbuddies.com -
0.0.0.0 clients.tbo.com -
0.0.0.0 ads.mgnetwork.com -
0.0.0.0 ads.brainerddispatch.com -
0.0.0.0 etype.adbureau.net -
0.0.0.0 ads.indystar.com -
0.0.0.0 banners.4d5.net -
0.0.0.0 ads.pittsburghlive.com -
0.0.0.0 banners.leadingedgecash.com -
0.0.0.0 bannerexchange.cjb.net -
0.0.0.0 oas.signonsandiego.com -
0.0.0.0 ads.sify.com -
0.0.0.0 adz.afterdawn.net -
0.0.0.0 webpdp.gator.com -
0.0.0.0 ads.zap2it.com -
0.0.0.0 bannieres.capella.org -
0.0.0.0 www.bannersgomlm.com -
0.0.0.0 banners.ksl.com -
0.0.0.0 bs.serving-sys.com -
0.0.0.0 itnnetmedia.com -
0.0.0.0 new-ads.eurogamer.net -
0.0.0.0 tnt.cincinnati.com -
0.0.0.0 www.adserver.jolt.co.uk -
0.0.0.0 adserver.jolt.co.uk -
0.0.0.0 entier.ecosm.com -
0.0.0.0 ads3.udc.advance.net -
0.0.0.0 klipads.dvlabs.com -
0.0.0.0 cirm.lsj.com -
0.0.0.0 gcirm.honoluluadvertiser.com -
0.0.0.0 ads-img.ljworld.com -
0.0.0.0 www.partner2profit.com -
0.0.0.0 nx-adv0001.247realmedia.com -
0.0.0.0 nx-adv0002.247realmedia.com -
0.0.0.0 nx-adv0003.247realmedia.com -
0.0.0.0 nx-adv0004.247realmedia.com -
0.0.0.0 nx-adv0005.247realmedia.com -
0.0.0.0 nx-adv0006.247realmedia.com -
0.0.0.0 nx-adv0007.247realmedia.com -
0.0.0.0 nx-adv0008.247realmedia.com -
0.0.0.0 nx-adv0009.247realmedia.com -
0.0.0.0 nx-adv0010.247realmedia.com -
0.0.0.0 adserver1.backbeatmedia.com -
0.0.0.0 ads.rampidads.com -
0.0.0.0 www.banner-mania.com -
0.0.0.0 ads.macsolutions.com -
0.0.0.0 spinbox0.maccentral.com -
0.0.0.0 ads.powerpage.org -
0.0.0.0 ads-real01.zdnet.com -
0.0.0.0 ads-real02.zdnet.com -
0.0.0.0 ads-real06.zdnet.com -
0.0.0.0 ads-real09.zdnet.com -
0.0.0.0 ads-real10.zdnet.com -
0.0.0.0 ads-real13.zdnet.com -
0.0.0.0 gcirm.theolympian.com -
0.0.0.0 ads6.udc.advance.net -
0.0.0.0 adserver.friendfinder.com -
0.0.0.0 adsintl.starwave.com -
0.0.0.0 ads6.udc.advance.net -
0.0.0.0 ads.affiliates.match.com -
0.0.0.0 img.bizjournals.com -
0.0.0.0 ads.sina.com -
0.0.0.0 ads.specificclick.com -
0.0.0.0 ads.thedieselstop.com -
0.0.0.0 adverts.ecn.co.uk -
0.0.0.0 ads.nationalenquirer.com -
0.0.0.0 ads.techtv.com -
0.0.0.0 marketing.sportodds.com -
0.0.0.0 ads.osdn.com -
0.0.0.0 ads.hamptonroads.com -
0.0.0.0 adsatt.abcnews.starwave.com -
0.0.0.0 ads.indiatimes.com -
0.0.0.0 advertising.hiasys.com -
0.0.0.0 ads1.udc.advance.net -
0.0.0.0 adserver.clubsi.com -
0.0.0.0 ad.es.doubleclick.net -
0.0.0.0 rcm-images.amazon.com -
0.0.0.0 ads.simtel.net -
0.0.0.0 ads1.powerpage.org -
0.0.0.0 adserv.talkzilla.com -
0.0.0.0 ads2.scnetsolutions.net -
0.0.0.0 gcirm.dmregister.com -
0.0.0.0 ads.starbanner.com -
0.0.0.0 banner.elisa.net -
0.0.0.0 ads4.udc.advance.net -
0.0.0.0 hebron.christianitytoday.com -
0.0.0.0 oascentral.bostonherald.com -
0.0.0.0 awin1.com -
0.0.0.0 itxt.vibrantmedia.com -
0.0.0.0 bannerads.zwire.com -
0.0.0.0 banners.addynamix.com -
0.0.0.0 ads.addynamix.com -
0.0.0.0 ads.dvdreview.com -
0.0.0.0 ad.advisor.com -
0.0.0.0 ads.adcorps.com -
0.0.0.0 ads.firingsquad.com -
0.0.0.0 ads.isoftmarketing.com -
0.0.0.0 banners.isoftmarketing.com -
0.0.0.0 adserver.altruis.net -
0.0.0.0 ads.adroar.com -
0.0.0.0 banner2.inet-traffic.com -
0.0.0.0 ads.mgnetwork.com -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 2
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName -
Desktop\Components\0\\Flags - 0
Desktop\Components\0\\Position - 2C 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 DE 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 1073741828
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 01 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 68 02 00 00 1F 00 00 00 A8 00 00 00 9E 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\ComponentsPositioned - 1
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 0
Desktop\General\\Wallpaper - %APPDATA%\Microsoft\Wallpaper1.bmp
Desktop\General\\BackupWallpaper - %APPDATA%\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 00 05 CC 89 4A 9C C6 01
Desktop\General\\WallpaperLocalFileTime - 00 FD F5 A0 20 9C C6 01
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 DE 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\Components -
Desktop\SafeMode\Components\\DeskHtmlVersion - 272
Desktop\SafeMode\Components\\DeskHtmlMinorVersion - 5
Desktop\SafeMode\Components\\Settings - 1
Desktop\SafeMode\Components\\GeneralFlags - 0
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - C:\WINDOWS\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Ext -
policies\Ext\CLSID -
policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} - 1
policies\Network -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\Ratings\\Key - 0A 4D 66 18 E1 F5 97 AB 1C 21 DD 6B 80 C8 99 F8
policies\Ratings\\Hint - jeffersonhome
policies\Ratings\\FileName0 - C:\WINDOWS\System32\RSACi.rat
policies\Ratings\.Default -
policies\Ratings\.Default\\Allow_Unknowns - 0
policies\Ratings\.Default\\PleaseMom - 1
policies\Ratings\.Default\\Enabled - 0
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html -
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\v - 0
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\s - 1
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\n - 1
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\l - 0
policies\Ratings\PICSRules -
policies\Ratings\PICSRules\.Default -
policies\Ratings\PICSRules\.Default\\NumSys - 0
policies\Ratings\PICSRules\.Default\0 -
policies\Ratings\PICSRules\.Default\0\\dwFlags - 0
policies\Ratings\PICSRules\.Default\0\\errLine - 0
policies\Ratings\PICSRules\.Default\0\PRPolicy -
policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRNumPolicy - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUNonWild - 13
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUScheme - http
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUHost - www.classmates.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUUrl - http://www.classmates.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\1 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUNonWild - 13
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUScheme - http
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUHost - go.microsoft.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUUrl - go.microsoft.com
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1
policies\WinOldApp -
policies\WinOldApp\\NoRealMode - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 255
policies\Explorer\\CDRAutoRun - 00 00 00 00
policies\Explorer\\NoSaveSettings - 0
policies\System -
policies\System\\DisableRegistryTools - 0

< End of report >


GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-17 08:29:39
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT 83637698 ZwAlertResumeThread
SSDT 836F0268 ZwAlertThread
SSDT 83608008 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\drivers\mmrtkrnl.sys ZwClose
SSDT 8370F8A0 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 8365BB98 ZwCreateMutant
SSDT 837D1728 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 8354C0D0 ZwFreeVirtualMemory
SSDT 836565E0 ZwImpersonateAnonymousToken
SSDT 837896A8 ZwImpersonateThread
SSDT 8378F998 ZwMapViewOfSection
SSDT 835445D0 ZwOpenEvent
SSDT \SystemRoot\system32\drivers\mmrtkrnl.sys ZwOpenKey
SSDT \??\C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT 83664D30 ZwOpenProcessToken
SSDT 835C7258 ZwOpenThreadToken
SSDT 836ABDA0 ZwResumeThread
SSDT 836F39D0 ZwSetContextThread
SSDT 83704C98 ZwSetInformationProcess
SSDT 83705A00 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 8359E9B8 ZwSuspendProcess
SSDT 835CDB50 ZwSuspendThread
SSDT \??\C:\Documents and Settings\default\Desktop\VIRUS STUFF\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
SSDT 836E36C8 ZwTerminateThread
SSDT 834160E8 ZwUnmapViewOfSection
SSDT 83585190 ZwWriteVirtualMemory

---- EOF - GMER 1.0.11 ----

#33 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 20 September 2006 - 01:17 AM

Hello Dabees,

I don't see anything in either of your logs to suggest malware - can you tell me if you are still experiencing problems with your system and if so what is happening?

Have you perhaps had any further error messages or is your computer still running slowly?

Thanks :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#34 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 20 September 2006 - 02:37 PM

Yes it is still slow and I am still receiving error messages. It freezes up and asks if I want to send a report to Microsoft. One message I received a few minutes ago: An error has occured in the script on this page Line:98 Char:2 Error: Object expected Code: 0 URL: mhtml:mid://00000005/ Do you want to continue running scripts on this page?
I will start writing them down. I hadn't 'cause I thought something would show up in the logs that could be fixed.
Thanks again.

#35 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 22 September 2006 - 03:54 AM

Hello, let's try this and see if it improves things,

Please download the latest version of the Windows Scripting Host; you can choose the correct one for your operating system here:

http://msdn.microsof...list/webdev.asp

This may correct the problem - please let me know. In the mean time, I shall see if I can find any other information about the error you have mentioned.

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#36 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 24 September 2006 - 04:30 PM

Did that. I'm still getting error messages. Similiar to what already posted.
Configuration warnings. And then today, I tried to save a couple of word documents and it saved them in a garbled (don't know tech. name) format.
The error messages all refer to startup configuration file.
Thank you so much for your persistent assistance...

#37 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 24 September 2006 - 05:52 PM

Hello,

The problems you are having may actually be hardware related rather than a consequence of anything you may have installed on your computer.

Firstly we could do with running a memory test, so please could you download BurnAtOnce. Install it by double-clicking on the file bao0995.exe that you downloaded. Click Next, accept the license agreement, and click Next until the button says "Install". Click "Install" to finish.
  • Download the Download - Pre-Compiled Bootable ISO (.zip) from MemTest.org.
  • Unzip (extract) it to your desktop.
  • Put a blank CD in the burner.
  • Right-click on the file memtest86+-1.65.iso, and select "burnatonce" from the menu.
  • Confirm that the box under the menu at the top says "MEMTEST86+-1.65.ISO (1MB / 2048)".
  • Click the "Write" button.
  • When disk finishes, leave the CD in the drive, close all programs, and reboot your computer. It needs to boot from the CD drive.
The memory test can take several hours to run!

Could you let me know the outcome of the test and we will go from there?

Thanks :)

Edited by Chancellor, 24 September 2006 - 05:56 PM.

Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#38 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 04 October 2006 - 07:26 AM

Please don't remove me. I will have time to do this tomorrow. Thanks.

#39 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 04 October 2006 - 08:16 AM

Hi,

Don't worry, I'll leave the thread open and look forward to hearing from you when you've had a chance to try this out.

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#40 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 08 October 2006 - 01:32 PM

I was fine till I got to step 7. I rebooted, nothing appeared to happen. So I signed on, still nothing. I had left the CD in. How do I boot from the CD drive?
Thanks.

#41 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 09 October 2006 - 02:32 PM

Hi,

You will need to change the Boot Sequence in the BIOS in order to boot from the CD

To do this, when you turn the computer on, you will see how to enter the BIOS Setup. It's usually one of the keys F1, INS, F10 or maybe DEL, you could check in your manual or speak to the supplier of the computer.

Once you have managed to get into the BIOS, look for a setting called Boot Order or Boot Sequence, then change that setting to have your CDROM drive first in the list before the hard drive.

Depending on your BIOS, your mouse may not be active and you will need to use the keyboard to navigate the screens.

After changing the Boot Order, save your settings and exit. This is usually done by pressing the ESC key and then pressing Y to save the settings.

This should do it!

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#42 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 09 October 2006 - 06:49 PM

Did that. The CD would not run. I went thru the steps again & got this message when I tried to burn (I may not have noticed it before):
Executing power calibration...
Power calibration successful.
?: I/O error. : scsi sendcmd: retryable error
CDB: 2A 00 FF FF FF 6A 00 00 1A 00
status: 0x2 (CHECK CONDITION)
Sense Bytes: 70 00 05 00 00 00 00 0A 00 00 00 00 64 00
Sense Key: 0x5 Illegal Request, Segment 0
Sense Code: 0x64 Qual 0x00 (illegal mode for this track) Fru 0x0
Sense flags: Blk 0 (not valid)
cmd finished after 0.003s timeout 180s
ERROR: Write data failed.
ERROR: Writing failed.

#43 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 10 October 2006 - 01:37 PM

Could you have a look in the System Event Viewer and tell me if you have any Application Warnings or Errors?

To access the Event Viewer, click Start > Control Panel > Administrative Tools > Event Viewer and then select the Applications tab.

If there are any warnings or errors, could you double click on the error and click the copy button underneath the navigation arrows and copy and paste it into this thread?

I would also suggest a visual inspection of your computer's motherboard. The problem could be leaky capacitors.

You should have a look at this link http://www.pcguide.c...ead.php?t=25482 to see what to look for!

Please let me know how you get on.

Thanks :)

Edited by Chancellor, 10 October 2006 - 01:39 PM.

Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#44 Dabees

Dabees

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 11 October 2006 - 07:07 AM

Bunch of them:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/11/2006
Time: 7:50:16 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x029d1e9f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 32 39 64 31 65 t 029d1e
0050: 39 66 0d 0a 9f..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 10/11/2006
Time: 7:48:24 AM
User: N/A
Computer: SHAGGY
Description:
Fault bucket 335012351.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 33 33 35 30 31 32 33 35 33501235
0010: 31 0d 0a 1..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/11/2006
Time: 7:48:19 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x029d1e9f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 32 39 64 31 65 t 029d1e
0050: 39 66 0d 0a 9f..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 10/11/2006
Time: 7:17:04 AM
User: N/A
Computer: SHAGGY
Description:
Fault bucket 335004158.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 33 33 35 30 30 34 31 35 33500415
0010: 38 0d 0a 8..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/11/2006
Time: 7:16:50 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x02981eab.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 32 39 38 31 65 t 02981e
0050: 61 62 0d 0a ab..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/10/2006
Time: 8:46:53 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x029d1fee.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 32 39 64 31 66 t 029d1f
0050: 65 65 0d 0a ee..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 10/10/2006
Time: 8:44:49 AM
User: N/A
Computer: SHAGGY
Description:
Fault bucket 334692750.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 33 33 34 36 39 32 37 35 33469275
0010: 30 0d 0a 0..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/10/2006
Time: 8:44:44 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x01cf1e9f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 31 63 66 31 65 t 01cf1e
0050: 39 66 0d 0a 9f..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/8/2006
Time: 1:16:03 PM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x01ce1e9f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 31 63 65 31 65 t 01ce1e
0050: 39 66 0d 0a 9f..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/7/2006
Time: 8:37:34 PM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x01c81e94.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 31 63 38 31 65 t 01c81e
0050: 39 34 0d 0a 94..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/6/2006
Time: 9:03:40 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x01cf1e9f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 31 63 66 31 65 t 01cf1e
0050: 39 66 0d 0a 9f..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/6/2006
Time: 8:30:32 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module uibho.dll, version 2007.1.0.133, fault address 0x0000d765.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 69 62 68 6f 2e 64 6c uibho.dl
0038: 6c 20 32 30 30 37 2e 31 l 2007.1
0040: 2e 30 2e 31 33 33 20 61 .0.133 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 30 64 37 36 0000d76
0058: 35 0d 0a 5..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/6/2006
Time: 8:14:24 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x01cf1e9f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 31 63 66 31 65 t 01cf1e
0050: 39 66 0d 0a 9f..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/6/2006
Time: 8:07:56 AM
User: N/A
Computer: SHAGGY
Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module unknown, version 0.0.0.0, fault address 0x01ce1e96.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 35 34 e 7.0.54
0028: 35 30 2e 34 20 69 6e 20 50.4 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 31 63 65 31 65 t 01ce1e
0050: 39 36 0d 0a 96..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/5/2006
Time: 7:54:15 PM
User: N/A
Computer: SHAGGY
Description:
Faulting application firefox.exe, version 1.8.20060.25382, faulting module unknown, version 0.0.0.0, fault address 0x02a48453.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 69 72 ure fir
0018: 65 66 6f 78 2e 65 78 65 efox.exe
0020: 20 31 2e 38 2e 32 30 30 1.8.200
0028: 36 30 2e 32 35 33 38 32 60.25382
0030: 20 69 6e 20 75 6e 6b 6e in unkn
0038: 6f 77 6e 20 30 2e 30 2e own 0.0.
0040: 30 2e 30 20 61 74 20 6f 0.0 at o
0048: 66 66 73 65 74 20 30 32 ffset 02
0050: 61 34 38 34 35 33 0d 0a a48453..

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 10/5/2006
Time: 7:39:33 AM
User: N/A
Computer: SHAGGY
Description:
Hanging application WINWORD.EXE, version 10.0.4219.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 57 49 4e 57 4f 52 WINWOR
0018: 44 2e 45 58 45 20 31 30 D.EXE 10
0020: 2e 30 2e 34 32 31 39 2e .0.4219.
0028: 30 20 69 6e 20 68 75 6e 0 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000

And there are many more going back to September.

Should I take my computer to someone to look for leaky capacitors?
Thanks.

#45 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 11 October 2006 - 03:36 PM

Hi,

You don't need to take your computer to a vendor or specialist repair store to check the capacitors, you can have a look yourself.

I know it might seem a bit daunting taking it to pieces, but all you need to do (depending on the style of the casing) is remove the top / side / back panel and have a look at the motherboard into which other leads and cables go and where all of the chips and capacitors sit.

If you have a look at the pictures in my previous post, you will see what to look for.

It could even be something as simple as an accumulation of dust on the board or around the fan - if there is any dust, just gently blow it out of the casing, and whilst you are there have a look at the capacitors.

I know it's obvious, but please remember to completely switch off and unplug your computer before taking the casing off and don't use anything to poke around inside! Just have a look and blow out any dust!

Of course, if you are really daunted at the prospect of this, you can of course take it to be looked at, but if you do, they are likely to charge you :gack:

Please let me know how you get on or what you decide to do :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#46 Chancellor

Chancellor

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,020 posts

Posted 26 November 2006 - 03:08 AM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".




Member of UNITE
Support SpywareInfo Forum - click the button