tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
Have something to say? Contribute New Article Reply to this Article
Nasty-*** virus
Yesterday and Sunday we kept getting messages on our computer, about every, oh, half a second, "There are too many identical emails in the appointed time" or something similar. There was also a message from Avast but I can't remember what that one said, something about the connection. My mom downloaded SpyDoctor (it might be called SpywareDoctor) and when I logged on to my desktop today, the "identical email" message just kept coming, boom boom boom, so I restarted the computer and the Spy(ware?)Doctor popped up a message that said something like "Deleted 4 corrupt programs" or something, and I haven't had any of those "identical email" pop-ups in about fifteen minutes. However, this of course does not necessarily mean that I don't have any viruses anymore, so I need to know what to change/delete/etc.
PS I have no freakin' clue what a "hijack this" log is. Do I need to download it? Or is it already, so to speak, on my computer?
(Personally I think the virus was in one of the games my mom keeps downloading.)
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
Okay, here's the HijackThis log (can't they call it something else? I keep thinking it's a bad thing).
Um. It won't paste. I can copy it, but Paste is grayed out on both the right-click menu and under Edit, and Ctrl-V doesn't work either. I am NOT going through and typing all that by hand. I can't even paste it into MS Word, either.
Okay, for some reason now I can paste it... anyway, here it is:
Logfile of HijackThis v1.99.1
Scan saved at 9:55:48 AM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run=,
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXX41US
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
Well just thought I would start by letting you know that your internet explorer is out of date. Second, i would suggest switching to firefox. It provides many new features, as well as alot more security than you will ever get out of IE.
Now on to the HJT log. You will need to boot into safe mode for these fixes, and configure windows to show hidden folders. To do this do the following.
1 Click the Start Button
2 In the Start menu click Control Panel
3 In the Control panel Window click the Folder Options Icon
4 The folder Options Window will now Open
5 Click the View Tab
6 In the view tab window look down the list for a section marked Hidden Files and Folders
7 Enable the option Show Hidden Files and Folders by left clicking the radio button on the left of the option with your mouse. Then uncheck Hide protected operating system files. CLick yes to the dialog.
8 Press the Apply button
9 On the next screen press OK to exit
10 You should now be able to view the hidden files and folders.
------------------------
1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.
Lets start by having it fix these;
C:\WINDOWS\System32\taskdir.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=,
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O8 - Extra context menu item: &search - http://bar.mywebsearch.com/menusear...?p=ZSXXXXXX41US Nasty
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
While you are still in safe mode, delete the following files (If there)
C:\WINDOWS\SYSTEM32\winm32.dll
C:\WINDOWS\System\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
Empty recycle bin and reboot
Then download ewido scan with that in normal mode. Post the ewido log and a fresh HJT log.
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
Okay, I'm not sure if I should delete palstart.exe because my mom uses PalTalk and I know she'll get p***ed off at me if I delete it.
EDIT: Also, I never use IE, only Netscape. I hate IE.
EDIT AGAIN: Okay, problem. There is no "Folder Options" icon in my Control Panel. There's an "Accessibility Options," and I clicked that, then View, but there was no "Hidden Files and Folders" section on the list. Also, I'm running Windows XP, not Windows 2000.
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
Have a look here.
http://www.greatis.com/appdata/d/p/palstart.exe.htm
You then decide. But when you have decided, post a new log.
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
Okay, I discovered I had to click "Classic View" to view Folder Options... off to try it again.
EDIT: I tapped F8 a bunch of times (really fast) while the black-and-white bar (really black and gray) was on the screen, and I didn't get the Advanced Options menu. I can't find any other way to restart the computer in Safe Mode, is there one? Is it absolutely imperative that I be in Safe Mode?
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
Ok, just restart your computer. And right away start hitting F8. That should do it. If not go head and do it out of safe mode.
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
Okay, here's the Ewido log (it says it's already "cleaned" the infected files, so I don't know if I need to do anything else):
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:35:22 PM, 3/8/2006
+ Report-Checksum: 84772570
+ Scan result:
HKLM\SOFTWARE\Classes\LaunchInIE.Launch -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CLSID -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CurVer -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\LaunchInIE.Launch.1 -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-842925246-884357618-682003330-1004\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.11:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.26:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.27:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\GomerPyle\Cookies\gomerpyle@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2716.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2732.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2892.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2928.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3036.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3320.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3376.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3520.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\6.qtdfmp -> Downloader.Small.atl : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\qvxt3.game -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\GomerPyle\Local Settings\Temp\vxt4.game -> Downloader.Tiny.ba : Cleaned with backup
:mozilla.9:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.19:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.23:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.24:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.25:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.26:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.27:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.29:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.30:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.31:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.32:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.33:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.35:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.36:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.37:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.38:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.39:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.40:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.41:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.42:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.53:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.54:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.55:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.56:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.57:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.58:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.59:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.86:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.87:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.88:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.91:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.92:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.93:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.94:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.95:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.96:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.97:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.98:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.99:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.100:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.101:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.102:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.104:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.109:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.110:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.111:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.112:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.113:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.114:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.115:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.116:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.117:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.118:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.119:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.120:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.121:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.147:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.148:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.149:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.150:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.152:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.153:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.196:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.197:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.198:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.202:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.203:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.204:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.214:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.215:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.219:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.220:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.221:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.222:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.223:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.224:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Cookies\mysticalchicken@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\1000.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\1988.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2304.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2472.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2868.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2940.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\304.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3132.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3216.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3260.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3288.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3312.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3320.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3432.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3468.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3504.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3536.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3624.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3668.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3700.tmp -> Downloader.Tiny.ba : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\4068.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\4080.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\516.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\5564.tmp -> Hijacker.BHO.d : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\6.qtdfmp -> Downloader.Small.atl : Cleaned with backup
C:\Documents and Settings\MysticalChicken\Local Settings\Temp\vxt4.game -> Downloader.Tiny.ba : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\DAO\system32_\svchost.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.307 : Cleaned with backup
C:\Program Files\SpySheriff -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
C:\WINDOWS\inet20001\3.02.00.dll -> Adware.Ihbo : Cleaned with backup
C:\WINDOWS\smss.exe -> Heuristic.Win32.HostFile : Cleaned with backup
C:\WINDOWS\system32\vxgamet4.exe -> Downloader.Tiny.ba : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
C:\WINDOWS\trebates.exe -> Adware.WebRebates : Cleaned with backup
::Report End
...and here's the new HijackThis log (EDIT: there were a few files that didn't get fixed for some reason the first time, so I fixed them. here's the new list):
Logfile of HijackThis v1.99.1
Scan saved at 1:49:11 PM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
EDIT: Dammit, I KNOW I fixed that "O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner -" at least three times and the damned thing won't stay fixed! :evil: There are probably a bunch of other ones that won't stay fixed, either.
EDIT AGAIN: And I know I fixed "O20: Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll" too. Also, winm32.dll is not in the System 32 folder, but it seems to keep popping up in the HJT log.
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
Malware is pretty much the same as viruses/spyware. Just another term.
Now for the log.
Have it clean --
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) Unnecessarily
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
Im not sure about these. Might want to wait for a second opnion.
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
Is your copmuter running better?
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
Have it clean --
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) Unnecessarily
I just did a new scan, and that wasn't in there.
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
Okay, this one just will not stay fixed! I check the box and click Fix Checked, and when I re-scan, it comes back!Im not sure about these. Might want to wait for a second opnion.
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
Is your copmuter running better?
No... I just re-booted and Avast still says I have viruses and SpyDoctor still says I have spyware. This is just frustrating me.
EDIT: Okay, I cleaned some of the stuff in the third quote box, just re-booted my computer and I didn't get any "You have a virus!" messages or "You have spyware!" messages (they usually appear within five seconds of logging on to my desktop, and it's been like two minutes and they haven't appeared yet), so I think I fixed it. If any more problems come up I'll post here.
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
You need to delete this in safe mode. Or its going to keep coming back.
C:\WINDOWS\SYSTEM32\winm32.dll
In fact fix all in safe mode from now on. If you still cant boot into it let me no.
If you do get in, I just discovered that the taskdir is a trojan. So fix the following.
C:\WINDOWS\System32\taskdir.exe
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - Global Startup: Event Reminder.lnk = ?
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
Then delete in safe mode the following files.
C:\WINDOWS\SYSTEM32\winm32.dll
C:\WINDOWS\System32\taskdir.exe
C:\WINDOWS\System32\kernels8.exe
Empty recycle bin, reboot, rescan, repost log. If that files comeback, we wil ltry somthing else.
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
Okay, I was able to get into Safe Mode. However, I can't log into my own desktop in Safe Mode; there was only "Administrator" and "AutumnRose," which is my mom. There was no password for "Administrator," so I went into that and fixed everything in the list above that was actually in the HJT list. However, I didn't see the following:
C:\WINDOWS\System32\taskdir.exe
Most of the O4 entries except for "O4: Global Startup: Event Reminder.Ink = ?" were not in the HJT log either.
And even in safe mode, "O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll" keeps coming back. And it's not in the folder specified, either. I also didn't see the taskdir.exe application, but I did find kernels8.exe, so I deleted that.
Okay, now I'm really, really hungry, and I want to get off the computer for today, so I'll check this tomorrow, or perhaps later tonight.
Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:58:19 PM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
MysticalChicken
Junior Poster in Training
55 posts since Mar 2006
Reputation Points: 10
Solved Threads: 0
Well, besides this your looking pretty clean. Im not sure how to procees on this one. Maybe someone else will know how to knock it out.
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
I dunno if ya already did this,, but did ya set it to show hidden files/microsoft window files?
Alrite ,Mystical Chicken, fix a couple more things:
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
(to tayspern)
Do ya kno about
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe ? It looks sorta suspicious.
Also (tayspern again), ya might wanna try using Pocket Killbox for 2 reasons.. 1) itl kill it if its there, and 2) it'l definitely tell ya if its not.
Thanks.
'Stein
Lapsed Skeptic
Team Colleague
1,941 posts since Jan 2006
Reputation Points: 222
Solved Threads: 106
Ahh my bad, 1 more mystical chicken:
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
'Stein
Lapsed Skeptic
Team Colleague
1,941 posts since Jan 2006
Reputation Points: 222
Solved Threads: 106
Yea, I pointed a few of those out. But they seem to be reappering ;). I agree about that on entry.
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
This is aHaxdoor variant...not good at all :sad:
This means there is the possibility that your PC has been compromised
1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.
Carrying on with the fix..
Download haxfix.exe -Save it to your desktop.
-Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
-When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
-A red "dos window" (dos box) will open.
This message will appear:
Insert the haxdoor notify subkey without the numbers,
and then press enter:
At this point please type the following:winm32
Press Enter to continue with the fix.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfilec:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog when you return.
Download Blacklight
http://www.f-secure.com/blacklight/try.shtml
-Hit I accept. It will take you to download page.
-Download blbeta.exe and save it to the Desktop.
-Once saved... double click blbeta.exe to install the program.
-Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
-If it displays any items...don't do anything with them yet. Just hit exit (close)
-It will drop a log on Desktop that starts with fsbl....big number
-Please post contents of log.
Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
-Open the C:\WinPFind folder and double-click on WinPFind.exe.
-Click on Configure Scan Options.
-Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All
-Uncheck Run Addon's and click Apply.
-Click on the Start Scan button and wait for it to finish.
-A log will be created C:\WinPFind\WinPFind.txt, attach this for me
So I need several logs when you return
HijackThis log
Blacklight log
Haxfix Log
WinPFind log
EDIT: FOLLOW THE DIRECITONS ABOVE
Heh alrite, KILLIN TIME...if ya could, please reboot into safe mode. Then, open My Computer > Tools > Folder Options. Open this, go under the 'View' tab, and click 'Show Hidden Files,' and uncheck 'Hide Protected Operating System Files.'
Then, close out and find the following files and delete them if they're there:
C:\Program Files\Partypoker
C:\WINDOWS\SYSTEM32\winm32.dll
After this, reboot into normal mode, and install Ewido and CCleaner (links for both can be found in my signature). Update both, and run scans for both, fixing everything. Save the Ewido log for post here.
THEN, open this page and follow directions for clearing ALL temporary files (just do it).
http://www.daniweb.com/techtalkforums/thread27570.html
After all of this, restart you're computer, run a HJT scan, and post it along with the Ewido results in a reply.
Heh sry, its alotta stuff.
Thanks.
EDIT: FOLLOW DIRECTIONS ABOVE
'Stein
Lapsed Skeptic
Team Colleague
1,941 posts since Jan 2006
Reputation Points: 222
Solved Threads: 106
O yeah, we tried to delete that one file (C:\WINDOWS\SYSTEM32\winm32.dll) at least 5 times. It wouldnt delete. SO i knew it ahd to be somthing big!
Good luck, sorry I couldnt help more.
-T
tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
This article has been dead for over three months
You
© 2012 DaniWeb® LLC
