0

Yesterday and Sunday we kept getting messages on our computer, about every, oh, half a second, "There are too many identical emails in the appointed time" or something similar. There was also a message from Avast but I can't remember what that one said, something about the connection. My mom downloaded SpyDoctor (it might be called SpywareDoctor) and when I logged on to my desktop today, the "identical email" message just kept coming, boom boom boom, so I restarted the computer and the Spy(ware?)Doctor popped up a message that said something like "Deleted 4 corrupt programs" or something, and I haven't had any of those "identical email" pop-ups in about fifteen minutes. However, this of course does not necessarily mean that I don't have any viruses anymore, so I need to know what to change/delete/etc.

PS I have no freakin' clue what a "hijack this" log is. Do I need to download it? Or is it already, so to speak, on my computer?

(Personally I think the virus was in one of the games my mom keeps downloading.)

5
Contributors
42
Replies
44
Views
11 Years
Discussion Span
Last Post by friskyduck
0

Hi, and welcome. Lets start by downloading hijackthis!. Once downloaded unzip to its own folder to not run it while its still zipped up. Run it and click do system scan and save log. When its done a notepad document will pop up. Copy that log, and post it here.

0

Okay, here's the HijackThis log (can't they call it something else? I keep thinking it's a bad thing).

Um. It won't paste. I can copy it, but Paste is grayed out on both the right-click menu and under Edit, and Ctrl-V doesn't work either. I am NOT going through and typing all that by hand. I can't even paste it into MS Word, either.

Okay, for some reason now I can paste it... anyway, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:48 AM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run=,
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXX41US
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

0

Well just thought I would start by letting you know that your internet explorer is out of date. Second, i would suggest switching to firefox. It provides many new features, as well as alot more security than you will ever get out of IE.

Now on to the HJT log. You will need to boot into safe mode for these fixes, and configure windows to show hidden folders. To do this do the following.


1 Click the Start Button

2 In the Start menu click Control Panel

3 In the Control panel Window click the Folder Options Icon

4 The folder Options Window will now Open

5 Click the View Tab

6 In the view tab window look down the list for a section marked Hidden Files and Folders

7 Enable the option Show Hidden Files and Folders by left clicking the radio button on the left of the option with your mouse. Then uncheck Hide protected operating system files. CLick yes to the dialog.

8 Press the Apply button

9 On the next screen press OK to exit

10 You should now be able to view the hidden files and folders.

------------------------

1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.

Lets start by having it fix these;

C:\WINDOWS\System32\taskdir.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=,


O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s

O8 - Extra context menu item: &search - http://bar.mywebsearch.com/menusear...?p=ZSXXXXXX41US Nasty

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab

O20 - AppInit_DLLs: sfklg.dll

O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)

While you are still in safe mode, delete the following files (If there)

C:\WINDOWS\SYSTEM32\winm32.dll


C:\WINDOWS\System\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe

Empty recycle bin and reboot

Then download ewido scan with that in normal mode. Post the ewido log and a fresh HJT log.

0

Okay, I'm not sure if I should delete palstart.exe because my mom uses PalTalk and I know she'll get p***ed off at me if I delete it.

EDIT: Also, I never use IE, only Netscape. I hate IE.

EDIT AGAIN: Okay, problem. There is no "Folder Options" icon in my Control Panel. There's an "Accessibility Options," and I clicked that, then View, but there was no "Hidden Files and Folders" section on the list. Also, I'm running Windows XP, not Windows 2000.

0

Okay, I discovered I had to click "Classic View" to view Folder Options... off to try it again.

EDIT: I tapped F8 a bunch of times (really fast) while the black-and-white bar (really black and gray) was on the screen, and I didn't get the Advanced Options menu. I can't find any other way to restart the computer in Safe Mode, is there one? Is it absolutely imperative that I be in Safe Mode?

0

Ok, just restart your computer. And right away start hitting F8. That should do it. If not go head and do it out of safe mode.

0

Okay, here's the Ewido log (it says it's already "cleaned" the infected files, so I don't know if I need to do anything else):

 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          1:35:22 PM, 3/8/2006
 + Report-Checksum:     84772570

 + Scan result:

    HKLM\SOFTWARE\Classes\LaunchInIE.Launch -> Adware.Ezula : Cleaned with backup
    HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CLSID -> Adware.Ezula : Cleaned with backup
    HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CurVer -> Adware.Ezula : Cleaned with backup
    HKLM\SOFTWARE\Classes\LaunchInIE.Launch.1 -> Adware.Ezula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
    HKU\S-1-5-21-842925246-884357618-682003330-1004\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
    :mozilla.11:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.16:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.21:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.25:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.26:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\GomerPyle\Application Data\Mozilla\Profiles\default\icrifx4n.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Cookies\gomerpyle@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2716.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2732.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2892.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2928.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3036.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3320.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3376.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3520.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\6.qtdfmp -> Downloader.Small.atl : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\qvxt3.game -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\vxt4.game -> Downloader.Tiny.ba : Cleaned with backup
    :mozilla.9:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.21:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.22:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.24:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.25:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.26:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.29:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.31:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.32:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.33:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.34:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.35:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.36:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.37:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.38:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.39:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.40:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.41:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.42:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.43:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.44:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.53:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
    :mozilla.54:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
    :mozilla.55:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
    :mozilla.56:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
    :mozilla.57:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
    :mozilla.58:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
    :mozilla.59:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.81:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.82:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.83:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.84:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.85:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.86:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.87:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.88:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.91:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.92:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.93:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.94:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.95:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.96:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.97:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.98:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.99:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.100:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.101:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.102:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.103:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.104:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.105:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.109:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.110:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.111:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.112:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.113:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.114:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.115:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.116:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.117:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.118:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.119:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.120:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.121:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.147:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.148:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.149:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.150:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.152:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.153:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.196:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.197:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.198:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.199:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.200:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.201:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.202:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.203:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.204:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.214:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
    :mozilla.215:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
    :mozilla.219:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.220:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.221:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.222:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.223:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.224:C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Cookies\mysticalchicken@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\1000.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\1988.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2304.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2472.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2868.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\2940.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\304.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3132.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3216.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3260.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3288.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3312.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3320.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3432.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3468.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3504.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3536.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3624.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3668.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\3700.tmp -> Downloader.Tiny.ba : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\4068.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\4080.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\516.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\01808300\5564.tmp -> Hijacker.BHO.d : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\6.qtdfmp -> Downloader.Small.atl : Cleaned with backup
    C:\Documents and Settings\MysticalChicken\Local Settings\Temp\vxt4.game -> Downloader.Tiny.ba : Cleaned with backup
    C:\Program Files\Common Files\Microsoft Shared\DAO\system32_\svchost.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.307 : Cleaned with backup
    C:\Program Files\SpySheriff -> Adware.SpySheriff : Cleaned with backup
    C:\Program Files\SpySheriff\SpySheriff.exe -> Adware.SpySheriff : Cleaned with backup
    C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
    C:\WINDOWS\inet20001\3.02.00.dll -> Adware.Ihbo : Cleaned with backup
    C:\WINDOWS\smss.exe -> Heuristic.Win32.HostFile : Cleaned with backup
    C:\WINDOWS\system32\vxgamet4.exe -> Downloader.Tiny.ba : Cleaned with backup
    C:\WINDOWS\system32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
    C:\WINDOWS\trebates.exe -> Adware.WebRebates : Cleaned with backup


::Report End

...and here's the new [b]HijackThis[/b] log (EDIT: there were a few files that didn't get fixed for some reason the first time, so I fixed them. here's the new list):

Logfile of HijackThis v1.99.1
Scan saved at 1:49:11 PM, on 3/8/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\kernels8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.msn.com[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409[/url]
F2 - REG:system.ini: Shell=explorer.exe 
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655[/url]
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - [url]http://zone.msn.com/bingame/luxr/default/mjolauncher.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

EDIT: Dammit, I KNOW I fixed that "O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner -" at least three times and the damned thing won't stay fixed! There are probably a bunch of other ones that won't stay fixed, either.

EDIT AGAIN: And I know I fixed "O20: Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll" too. Also, winm32.dll is not in the System 32 folder, but it seems to keep popping up in the HJT log.

Edited by mike_2000_17: Fixed formatting

0

Malware is pretty much the same as viruses/spyware. Just another term.

Now for the log.

Have it clean --


O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) Unnecessarily

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

Im not sure about these. Might want to wait for a second opnion.


O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe

Is your copmuter running better?

0

Have it clean --


O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) Unnecessarily

I just did a new scan, and that wasn't in there.

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

Okay, this one just will not stay fixed! I check the box and click Fix Checked, and when I re-scan, it comes back!

Im not sure about these. Might want to wait for a second opnion.


O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe

Is your copmuter running better?

No... I just re-booted and Avast still says I have viruses and SpyDoctor still says I have spyware. This is just frustrating me.

EDIT: Okay, I cleaned some of the stuff in the third quote box, just re-booted my computer and I didn't get any "You have a virus!" messages or "You have spyware!" messages (they usually appear within five seconds of logging on to my desktop, and it's been like two minutes and they haven't appeared yet), so I think I fixed it. If any more problems come up I'll post here.

0

You need to delete this in safe mode. Or its going to keep coming back.


C:\WINDOWS\SYSTEM32\winm32.dll

In fact fix all in safe mode from now on. If you still cant boot into it let me no.

If you do get in, I just discovered that the taskdir is a trojan. So fix the following.


C:\WINDOWS\System32\taskdir.exe

O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe

O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - Global Startup: Event Reminder.lnk = ?

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

Then delete in safe mode the following files.


C:\WINDOWS\SYSTEM32\winm32.dll

C:\WINDOWS\System32\taskdir.exe

C:\WINDOWS\System32\kernels8.exe


Empty recycle bin, reboot, rescan, repost log. If that files comeback, we wil ltry somthing else.

0

Okay, I was able to get into Safe Mode. However, I can't log into my own desktop in Safe Mode; there was only "Administrator" and "AutumnRose," which is my mom. There was no password for "Administrator," so I went into that and fixed everything in the list above that was actually in the HJT list. However, I didn't see the following:

C:\WINDOWS\System32\taskdir.exe

Most of the O4 entries except for "O4: Global Startup: Event Reminder.Ink = ?" were not in the HJT log either.

And even in safe mode, "O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll" keeps coming back. And it's not in the folder specified, either. I also didn't see the taskdir.exe application, but I did find kernels8.exe, so I deleted that.

Okay, now I'm really, really hungry, and I want to get off the computer for today, so I'll check this tomorrow, or perhaps later tonight.

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:58:19 PM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

0

Well, besides this your looking pretty clean. Im not sure how to procees on this one. Maybe someone else will know how to knock it out.


O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

0

I dunno if ya already did this,, but did ya set it to show hidden files/microsoft window files?

Alrite ,Mystical Chicken, fix a couple more things:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

(to tayspern)
Do ya kno about
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe ? It looks sorta suspicious.

Also (tayspern again), ya might wanna try using Pocket Killbox for 2 reasons.. 1) itl kill it if its there, and 2) it'l definitely tell ya if its not.

Thanks.

0

Ahh my bad, 1 more mystical chicken:

O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

0

Yea, I pointed a few of those out. But they seem to be reappering ;). I agree about that on entry.

0


O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

This is a Haxdoor variant...not good at all :sad:

This means there is the possibility that your PC has been compromised

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Carrying on with the fix..

Download haxfix.exe -Save it to your desktop.
-Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
-When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
-A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:

At this point please type the following:

winm32

Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog when you return.

Download Blacklight
http://www.f-secure.com/blacklight/try.shtml
-Hit I accept. It will take you to download page.
-Download blbeta.exe and save it to the Desktop.
-Once saved... double click blbeta.exe to install the program.
-Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
-If it displays any items...don't do anything with them yet. Just hit exit (close)
-It will drop a log on Desktop that starts with fsbl....big number
-Please post contents of log.

Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
-Open the C:\WinPFind folder and double-click on WinPFind.exe.
-Click on Configure Scan Options.
-Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All
-Uncheck Run Addon's and click Apply.
-Click on the Start Scan button and wait for it to finish.
-A log will be created C:\WinPFind\WinPFind.txt, attach this for me

So I need several logs when you return

HijackThis log
Blacklight log
Haxfix Log
WinPFind log

0

EDIT: FOLLOW THE DIRECITONS ABOVE


Heh alrite, KILLIN TIME...if ya could, please reboot into safe mode. Then, open My Computer > Tools > Folder Options. Open this, go under the 'View' tab, and click 'Show Hidden Files,' and uncheck 'Hide Protected Operating System Files.'

Then, close out and find the following files and delete them if they're there:

C:\Program Files\Partypoker
C:\WINDOWS\SYSTEM32\winm32.dll

After this, reboot into normal mode, and install Ewido and CCleaner (links for both can be found in my signature). Update both, and run scans for both, fixing everything. Save the Ewido log for post here.

THEN, open this page and follow directions for clearing ALL temporary files (just do it).

http://www.daniweb.com/techtalkforums/thread27570.html

After all of this, restart you're computer, run a HJT scan, and post it along with the Ewido results in a reply.

Heh sry, its alotta stuff.

Thanks.

EDIT: FOLLOW DIRECTIONS ABOVE

0

O yeah, we tried to delete that one file (C:\WINDOWS\SYSTEM32\winm32.dll) at least 5 times. It wouldnt delete. SO i knew it ahd to be somthing big!

Good luck, sorry I couldnt help more.

-T

0

This is a Haxdoor variant...not good at all :sad:

This means there is the possibility that your PC has been compromised

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Carrying on with the fix..

Download haxfix.exe -Save it to your desktop.
-Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
-When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
-A red "dos window" (dos box) will open.
This message will appear:

At this point please type the following:

Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog when you return.

Download Blacklight
http://www.f-secure.com/blacklight/try.shtml
-Hit I accept. It will take you to download page.
-Download blbeta.exe and save it to the Desktop.
-Once saved... double click blbeta.exe to install the program.
-Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
-If it displays any items...don't do anything with them yet. Just hit exit (close)
-It will drop a log on Desktop that starts with fsbl....big number
-Please post contents of log.

Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
-Open the C:\WinPFind folder and double-click on WinPFind.exe.
-Click on Configure Scan Options.
-Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All
-Uncheck Run Addon's and click Apply.
-Click on the Start Scan button and wait for it to finish.
-A log will be created C:\WinPFind\WinPFind.txt, attach this for me

So I need several logs when you return

You're gonna have to wait on those, because I'm not the one who manages the bank account and whatnot. So I'll have my mom call. In the meantime, I'll try to do what I can with that long list.

EDIT: I clicked on http://www.f-secure.com/blacklight/try.shtml and it said "Cannot find the file specified" or something. Tyop?

0

Understand those are steps of "caution" in a worse-case scenario. I just wanted to let you be aware of the consequences, what happens from here on out is up to your mother :)

0

Okay, I did as much of the above as I could. However, I could not delete the temporary files in my brother's or my mom's desktop (both said access denied). I did, however, delete all the temporary files in my own desktop, and my dad's, because he doesn't have a password and he doesn't live here anymore anyway. But I digress. Anyway, I also did the haxdoor scan with that winm32 dealie, and it said:

"You don't need to run this program.  No infection found."

I also searched for winm32.dll in the specified folder, and couldn't find it. The closest file names I found were WING32.dll and winmm.dll. However, I wasn't sure if I should delete these, so I didn't. I even did a search for winm32 under the Search option, and the adorable little puppy didn't find it, either, and yes, I did search in the hidden files and folders. So either A. this is one rat-b tard of a file that just does not want to be found, or B. the HijackThis log is mistaken.

I did delete C:\Program Files\PartyPoker, though.

I couldn't download Blacklight. See my previous post for reason why.

I also did a new Ewido scan, and it found and cleaned 27 infected items.

Anyway, here's all the new logs that I could do:

WinPFind log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build:     Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
    {472083B0-C522-11CF-8763-00608CC02F24}   = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ImageWalker
    {A164C10C-B123-40B0-ABE0-65B7F9D62506}   = C:\Program Files\Walker\ImageWalker200\ShellExtensions.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
    {5464D816-CF16-4784-B9F3-75C0DB52B499}   = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
    {472083B0-C522-11CF-8763-00608CC02F24}   = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ImageWalker
    {0F2FAFF8-304D-4EC4-9607-1DCDF89F3C3A}   = C:\Program Files\Walker\ImageWalker200\ShellExtensions.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{502C3BA4-2C3E-4317-BC29-C0445E82B1F9}
    PaltalkWebLogin = C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
     = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
    PCTools Site Guard = C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
    PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E89097ED-3400-411D-9647-D368C3311C98}
    IExplorerHelper Class = C:\WINDOWS\System32\IeHelperExVS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    &Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {8E718888-423F-11D2-876E-00A0C9082467}   = &Radio   : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
    ButtonText   = Spyware Doctor   : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}
    ButtonText   = ICQ Pro  : C:\Program Files\ICQ\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText   = Messenger    : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    : 
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} =    : 
    {4E7BD74F-2B8D-469E-A7E4-FC7CBD87BD7D} =    : 
    {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} =    : 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    SZMsgSvc.exe    C:\Program Files\STOPzilla!\SZMsgSvc.exe
    Share-to-Web Namespace Daemon   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    ProDsl.exe  ProDsl.exe
    ATIPTA  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    avast!  C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    PSDrvCheck  "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg

    TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background
    MessengerPlus3  "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    Microsoft Server Applacations   qsosrv.exe
    Spyware Doctor  "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini  0
    win.ini 0
    bootini 0
    services    0
    startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
    NoChangingWallpaper 0
    NoComponents    0
    NoAddingComponents  0
    NoDeletingComponents    0
    NoEditingComponents 0
    NoHTMLWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  ‘
    NoActiveDesktop 0
    ClassicShell    0
    ForceActiveDesktopOn    1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableTaskMgr  1
    Wallpaper   


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    0aMCPClient                     {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\Program Files\Common Files\Stardock\mcpcore.dll
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\System32\Userinit.exe
    Shell       = explorer.exe 
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient
     = C:\Program Files\Common Files\Stardock\mcpstub.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winm32
     = winm32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
     = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/9/2006 10:01:46 AM

Ewido log:

+ Report-Checksum:      3B614F0

 + Scan result:

    C:\Documents and Settings\GomerPyle\Local Settings\Application Data\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2624.tmp -> Downloader.Small.skn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2628.tmp -> Downloader.Small.skn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2660.tmp -> Dropper.Delf.th : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2688.tmp -> Dropper.Delf.th : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2840.tmp -> Logger.Agent.jt : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2912.tmp -> Logger.Agent.jt : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2960.tmp -> Downloader.Small.bwk : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\2988.tmp -> Dropper.Delf.th : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3160.tmp -> Logger.Agent.jt : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3236.tmp -> Downloader.Agent.afl : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3252.tmp -> Downloader.Small.ckn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3264.tmp -> Downloader.Small.skn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3268.tmp -> Dropper.Delf.th : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\328.tmp -> Downloader.Small.ckn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3340.tmp -> Downloader.Small.ckn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3352.tmp -> Downloader.Small.skn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3360.tmp -> Dropper.Delf.th : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\3480.tmp -> Logger.Agent.jt : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\01808300\408.tmp -> Downloader.Small.ckn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\5.qtdfmp -> Downloader.Small.awa : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\msdoc.exe -> Logger.Small.dg : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\vxt1.game -> Downloader.Small.ckn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\vxt2.game -> Downloader.Small.skn : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temp\vxt3.game -> Dropper.Delf.th : Cleaned with backup
    C:\Documents and Settings\GomerPyle\Local Settings\Temporary Internet Files\Content.IE5\AVL88YMZ\ntraf11[1].dat -> Logger.Small.dg : Cleaned with backup


::Report End

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:01 PM, on 3/9/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.msn.com[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409[/url]
F2 - REG:system.ini: Shell=explorer.exe 
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655[/url]
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - [url]http://zone.msn.com/bingame/luxr/default/mjolauncher.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by mike_2000_17: Fixed formatting

0

Sorry for the double post; I can't edit my last post, the 30-minute time limit has expired.

I found out that there was a mistake in the instructions for HaxFix. I just had to type winm, not winm32 (I did a Google search for winm32).

Anyway, here's the HaxFix log:

HAXFIX logfile
--------------
by Marckie


haxdoor key: winm


searching for services....
services found


deleting services.....
[SWSC] StopService FAIL
[SWSC] DeleteService FAIL
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS


rebooting the computer.....


haxdoor notify subkey: winm


searching for services....
services not found


checking if files are found.....
winm32.dll exist
winm32.sys exist
winm64.sys exist
qy.sys exist
klogini.dll exist
p3.ini exist
ps.a3d exist
winm16.dll not found
winm16.sys not found
winm24.sys not found
klgcptini.dat not found
qm.dll not found
qm.sys not found
qy.dll not found
qz.dll not found
qz.sys not found
stt82.ini not found
klo5.sys not found
fux87.ini not found


deleting files.....


checking if files are deleted.....
winm32.dll not found
winm32.sys not found
winm64.sys not found
winm16.dll not found
winm16.sys not found
winm24.sys not found
klgcptini.dat not found
qm.dll not found
qm.sys not found
qy.dll not found
qy.sys not found
qz.dll not found
qz.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
ps.a3d not found
klo5.sys not found
fux87.ini not found

Finished

...and a new HJT log. I just looked and that winm32 file seems to be gone! Yay, finally!

Logfile of HijackThis v1.99.1
Scan saved at 2:19:35 PM, on 3/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Anything else I should change/delete?

EDIT: There's one more minor problem: my desktop wallpaper is gone (and has been for the past few days), and I can't seem to be able to reapply it (or any other wallpaper). Anything in the HJT log that makes wallpaper disappear?

0

First I would uninstall Messenger Plus 3! as it usually contains Lop

Go to Start>Run type Services.msc
Right click Windows Logon Process Service and choose Stop if it allows you.
Now choose Properties and change Startup Type to Disabled

Now open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
Enter Windows Logon Process Service into the box and delete it.

Now check and fix this in HijackThis if present

O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)

Now delete the file if it exists

C:\WINDOWS\winlogon.exe

Next Download ISeeYou
http://forum.networktechs.com/attachment.php?attachmentid=22563&d=1141266457
-Save to your desktop
-Boot to Safe Mode
-Double click ISeeYou.bat and let it run
-Attach the log when you return

For the desktop issue, let's check this first...

Right click the Desktop
-Choose Properties
-Click Desktop tab and then choose Customize Desktop
-Click Web tab

Verify nothing else is in the box other than My Current Homepage and that it is unchecked.
Anything else in there - highlight it uncheck it and choose Delete

0

First I would uninstall Messenger Plus 3! as it usually contains Lop

Go to Start>Run type Services.msc
Right click Windows Logon Process Service and choose Stop if it allows you.

Stop was grayed out, so I couldn't do that.

Now choose Properties and change Startup Type to Disabled

Did that.

Now open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
Enter Windows Logon Process Service into the box and delete it.

Done and done.

Now check and fix this in HijackThis if present

Huh, for some reason the filename is gone, but I remember what it was (or most of it) and it wasn't in there.

Now delete the file if it exists

Didn't exist.

Next Download ISeeYou
http://forum.networktechs.com/attachment.php?attachmentid=22563&d=1141266457
-Save to your desktop
-Boot to Safe Mode
-Double click ISeeYou.bat and let it run
-Attach the log when you return

I couldn't figure out how to save the log, but all it said was "The system cannot find the file specified" four times in a row.

For the desktop issue, let's check this first...

Right click the Desktop
-Choose Properties
-Click Desktop tab and then choose Customize Desktop
-Click Web tab

Verify nothing else is in the box other than My Current Homepage and that it is unchecked.
Anything else in there - highlight it uncheck it and choose Delete

That didn't work. There was nothing in the box other than "My Current Homepage" and it was unchecked.

0

Unusual! PhilliePhan must be tweaking ISeeYou

The 023 line was supposed to be gone, so thats good ;)

When we are finished you really need to update to Service Pack 2 as you are completely vulnerable right now.

Let's run Spysweeper - it can detect Lop. Also - I just noticed your WinPFind log seems to be incomplete, as it doesnt show the System32 or WINDOWS directory...

Spysweeper
http://www.ianag.com/files/14/SpySweeperTrialSetup_EN-MajorGeeks.exe
-Update it to the latest definitions and run it
-Remove everything it finds
-Save me the log

Go to this link and follow the instructions to scan with WinPFind by OldTimer.
Please submit the WinPFind Log along with the fresh HJT Log.

Now for the desktop
-Copy the below to notepad
-Save the file as Fix.reg
-Doubleclick it and answer YES to merge into the registry
-Reboot and try the wallpaper

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"ForceActiveDesktopOn"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
"Use Search Asst"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]

[-HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-
"WindowsFZ"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]

0

What is Service Pack 2?

For some reason, WinPFind isn't working for me. It only seems to be scanning one file, which is a .txt file so it shouldn't take very long, but it seems to be taking forever. But anyway, here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:51 AM, on 3/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

... and the Spy Sweeper log:

********
10:34 AM: | Start of Session, Friday, March 10, 2006 |
10:34 AM: Spy Sweeper started
10:35 AM: Your spyware definitions have been updated.
10:35 AM: Processing Hosts File Alerts
10:35 AM: Fixed Hosts File entry: eset.com
10:35 AM: Fixed Hosts File entry: www.eset.com
10:35 AM: Fixed Hosts File entry: u2.eset.com
10:35 AM: Fixed Hosts File entry: u3.eset.com
10:35 AM: Fixed Hosts File entry: u4.eset.com
10:35 AM: Fixed Hosts File entry: u7.eset.com
10:35 AM: Fixed Hosts File entry: 82.165.250.33
10:35 AM: Fixed Hosts File entry: 82.165.237.14
10:35 AM: Fixed Hosts File entry: metalhead2005.info
10:35 AM: Fixed Hosts File entry: d66.myleftnut.info
10:35 AM: Fixed Hosts File entry: irc.blackcarder.net


I'll see if I can get the WinPFind to work a little later.

The wallpaper dealie worked! Yay! But when I tried to move fix.reg to the registry, this message came up:

"Cannot import C:\DOCUME~1\MYSTIC~1\MYDOCU~1\Fix.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes." Do I need to worry about that at all?

0

Well then if you received that error during the registry import, something didnt work. But, if Spysweeper got your wallpaper back by removing them hidden hosts that's fine :)

Are you having anymore problems? Your log looks good besides the fact you kept Messenger Plus 3 - I would still uninstall that.

Service Pack 2 is a large Windows updates that cover many security gaps left in the Windows XP Operating System. You need to visit Windows Update ASAP.

0

I would uninstall Messenger Plus 3, but I don't know where it is exactly on the computer (the file path).

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.