suzannebaer Posted September 2, 2007 Report Share Posted September 2, 2007 About a year ago, thanks to Norton (which randomly decided to stop running) I got some kind of downloader on my system. It took a few weeks and lots of help from my big brother--who also suggested I run AVG anti-virus instead--but the problem appeared to be cleared up. And after a few weeks I let AVG run a pre-scheduled daily check and stopped manually scanning or paying really close attention. So I just realized that for months AVG has been quietly removing the same tracking cookies from my computer every day. I don't know if this is related to the previous problem or something new. AVG has not found any viruses, just the spyware/adware. I've run Adware and Spybot and they both also find and remove tracking cookies, but they just return (for example Spybot has cleaned "Burst Media" off my computer 3 times today, it appears again everytime I scan). In trying to search to find what programs should or shouldn't be running, I found links to the forums with Hijack this logs, so I thought if I posted one, someone might be able to identify what is putting this stuff back on my systemThank you for any help or suggestions you can give me!Logfile of HijackThis v1.99.1Scan saved at 5:09:31 PM, on 9/1/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exeC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Documents and Settings\Karen\My Documents\Hijack This\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {6f550791-000c-474d-a7ca-69ba91dd00d7} - C:\WINDOWS\system32\grpclt.dll (file missing)O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exeO4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: hp psc 1000 series.lnk = ?O4 - Global Startup: hpoddt01.exe.lnk = ?O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dllO20 - Winlogon Notify: grpclt - grpclt.dll (file missing)O20 - Winlogon Notify: mljji - mljji.dll (file missing)O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Link to post Share on other sites
martymas Posted September 2, 2007 Report Share Posted September 2, 2007 those tracking cookies need to be restrictedif you go totools- .internet optionsopen the privacy tab and see if your cookies are opened if they are you need to set first party cookies at block or prompt and third party cookies to block if it isnt opened you need click on the box that is greyed out which will open the optionsi suggest you set all cookies at blockthen you wont get tracking cookies if you have adaware it is very good to find tracking cookies TC can be dangerous as it will open up abuse of your credit card and your telephonne accountmarty Link to post Share on other sites
Bubba Bob Posted September 2, 2007 Report Share Posted September 2, 2007 (edited) If you block all cookies, remember some sites store your user name adn password in a cookie. No biggy for me, just an FWIAnd, tracking cookies are quite normal to find. Open up IE one time, and BAM! So, dont worry too much Also, welcome to Besttechie! Someone will hopefully be by shortly to read your HJT Log Edited September 2, 2007 by Bubba Bob Link to post Share on other sites
Andro1d Posted September 2, 2007 Report Share Posted September 2, 2007 Hello and Welcome to BT. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Step 1Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Step 2Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.Step 3Download Deckard's System Scanner (DSS) to your Desktop.Close all applications and windows.Double-click on DSS.exe to run it, and follow the prompts.When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)Step 4Please post the vundofix.txt and the DSS Log in your next reply. Link to post Share on other sites
suzannebaer Posted September 2, 2007 Author Report Share Posted September 2, 2007 Thanks for Helping. VundoFix said it found no infected files. I clicked Remove Vundo anyway and it said again that it found no infected files and would close (which it promptly did).Vundo Log:VundoFix V6.5.7Checking Java version...Java version is 1.4.2.3Old versions of java are exploitable and should be removed.Scan started at 10:14:39 AM 9/2/2007Listing files found while scanning....No infected files were found.Beginning removal... Here is the DSS Log:Deckard's System Scanner v20070826.66Run by Karen on 2007-09-02 10:19:26Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --93: 2007-09-02 17:19:41 UTC - RP412 - Deckard's System Scanner Restore Point92: 2007-09-01 18:37:32 UTC - RP411 - System Checkpoint91: 2007-08-31 10:00:54 UTC - RP410 - Software Distribution Service 3.090: 2007-08-30 10:19:51 UTC - RP409 - System Checkpoint89: 2007-08-29 10:00:19 UTC - RP408 - Software Distribution Service 3.0-- First Restore Point -- 1: 2007-06-05 03:26:35 UTC - RP320 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Karen.exe) -----------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 10:21:52 AM, on 9/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exeC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exeC:\Documents and Settings\Karen\Desktop\dss.exeC:\DOCUME~1\Karen\MYDOCU~1\HIJACK~1\Karen.exeC:\WINDOWS\system32\NOTEPAD.EXER1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {6f550791-000c-474d-a7ca-69ba91dd00d7} - C:\WINDOWS\system32\grpclt.dll (file missing)O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exeO4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: hp psc 1000 series.lnk = ?O4 - Global Startup: hpoddt01.exe.lnk = ?O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dllO20 - Winlogon Notify: grpclt - grpclt.dll (file missing)O20 - Winlogon Notify: mljji - mljji.dll (file missing)O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------All services whitelisted.-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2005-12-01 18:39:09 342 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125386913.job-- Files created between 2007-08-02 and 2007-09-02 -----------------------------2007-09-02 10:14:39 0 d-------- C:\VundoFix Backups2007-09-01 16:53:20 0 d-------- C:\Documents and Settings\Karen\.housecall6.62007-09-01 11:17:46 0 d-------- C:\Program Files\a-squared Free2007-09-01 10:59:57 0 d-------- C:\Program Files\SpywareBlaster2007-08-29 18:39:40 0 d-------- C:\Temp2007-08-13 22:36:44 0 d-------- C:\Documents and Settings\Karen\Application Data\InstallShield-- Find3M Report ---------------------------------------------------------------2007-09-01 09:24:29 0 d-------- C:\Documents and Settings\Karen\Application Data\AVG72007-08-29 18:39:53 0 d-------- C:\Program Files\Sony2007-08-13 22:37:04 0 d--h----- C:\Program Files\InstallShield Installation Information-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f550791-000c-474d-a7ca-69ba91dd00d7}] C:\WINDOWS\system32\grpclt.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 03:48 PM]"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 09:20 PM C:\WINDOWS\STSYSTRA.EXE]"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 06:12 PM]"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 02:19 PM]"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/26/2005 11:02 PM]"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/13/2007 08:23 AM]"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [09/25/2006 10:12 AM]"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/14/2006 05:48 PM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 AM]"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [05/29/2007 06:34 PM]"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [4/6/2003 1:17:18 AM]hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 1:06:58 AM]QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 9:59:36 AM][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf] avgwlntf.dll 02/22/2007 09:20 AM 9216 C:\WINDOWS\system32\avgwlntf.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\grpclt] grpclt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljji] mljji.dll -- Hosts -----------------------------------------------------------------------127.0.0.1 babe.the-killer.bz127.0.0.1 www.babe.the-killer.bz127.0.0.1 babe.k-lined.com127.0.0.1 www.babe.k-lined.com127.0.0.1 did.i-used.cc127.0.0.1 www.did.i-used.cc127.0.0.1 coolwwwsearch.com127.0.0.1 www.coolwwwsearch.com127.0.0.1 coolwebsearch.com127.0.0.1 www.coolwebsearch.com6503 more entries in hosts file.-- End of Deckard's System Scanner: finished at 2007-09-02 10:23:35 ------------Deckard's System Scanner v20070826.66Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Home Edition (build 2600) SP 2.0Architecture: X86; Language: EnglishCPU 0: Intel® Pentium® 4 CPU 2.80GHzCPU 1: Intel® Pentium® 4 CPU 2.80GHzPercentage of Memory in Use: 40%Physical Memory (total/avail): 1022.07 MiB / 607.36 MiBPagefile Memory (total/avail): 1785.48 MiB / 1327.59 MiBVirtual Memory (total/avail): 2047.88 MiB / 1969.88 MiBC: is Fixed (NTFS) - 71.04 GiB total, 52.33 GiB free. D: is CDROM (CDFS)\\.\PHYSICALDRIVE0 - SAMSUNG HD080HJ - 74.5 GiB - 3 partitions \PARTITION0 - Unknown - 47.03 MiB \PARTITION1 (bootable) - Installable File System - 71.04 GiB - C: \PARTITION2 - Unknown - 3.41 GiB-- Security Center -------------------------------------------------------------AUOptions is scheduled to auto-install.Windows Internal Firewall is enabled.FirstRunDisabled is set.FW: AVG Firewall 7.5.475 v7.5.475 (GRISOFT)AV: AVG 7.5.485 v7.5.485 (GRISOFT)[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL""C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL""C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL""C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe""C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe""C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe""C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent""C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Karen\Application DataCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=D51N8481ComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\KarenLOGONSERVER=\\D51N8481NUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\ATI.ACE\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntelPROCESSOR_LEVEL=15PROCESSOR_REVISION=0401ProgramFiles=C:\Program FilesPROMPT=$P$GSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\Karen\LOCALS~1\TempTMP=C:\DOCUME~1\Karen\LOCALS~1\TempUSERDOMAIN=D51N8481USERNAME=KarenUSERPROFILE=C:\Documents and Settings\Karenwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Karen (admin)Administrator (admin)-- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infa-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOGAdobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exeATI Catalyst Control Center --> MsiExec.exe /I{7B76034B-B3ED-46D5-8C66-DEB102CB830A}ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -cleanAVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALLBasic Facts Worksheet Factory --> MsiExec.exe /I{1E85CABF-0984-482A-BF5D-E9AC4BF33694}Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033 Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010} Canon Camera Window DVC for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734} Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635} Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED} Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7} Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA} Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA} Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}EverQuest Titanium --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32714287-4234-412A-877B-D33AFABFDE2B}\setup.exe" -l0x9 EverQuest: The Anniversary Edition --> C:\Program Files\InstallShield Installation Information\{6BB7C3F8-40EC-4ACD-8F7C-78B769B34B08}\setup.exe -runfromtemp -l0x0009 -removeonlyGet High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}Gradekeeper --> "C:\WINDOWS\Gradekeeper\uninstall.exe" "/U:C:\Program Files\Gradekeeper\irunin.xml"High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exeHijackThis 1.99.1 --> C:\Documents and Settings\Karen\My Documents\Hijack This\HijackThis.exe /uninstallHotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}HP Photo and Imaging 2.0 - hp psc 1200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboothp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"Intel® PRO Network Connections Software v9.2.4.11 --> C:\Program Files\Intel\DMIX\uninst\DxSetup.exe /x /qr /le C:\DOCUME~1\Owner\LOCALS~1\Temp\PROSetDX\DMIX\\DxUninst.logIntel® PROSafe for Wired Connections --> MsiExec.exe /I{36BD0774-6CD6-4FF9-A148-83CA09AC123E}Intel® PROSafe for Wired Connections --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exeJasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exeLiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /UMacromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}Mathematics Worksheet Factory Deluxe 3.0 Trial --> MsiExec.exe /I{0508AAE1-3AB9-4DBF-918D-1862A050C215}Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9 Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelModem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyTextMove Networks Player for Firefox --> "C:\PROGRA~1\MOZILL~1\plugins\unins000.exe"Mozilla Firefox (2.0.0.4) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exeMozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exeMusicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exeNetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstallQuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1 QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.logRealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0SCA1 Algebra 1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Prentice Hall\Resource Pro\Algebra 1\Uninst.isu"Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}TBS WMP Plug-in --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BFC7D0F-FA4A-4FDC-AA03-440655EA656A}\setup.exe" -l0x9 -removeonlyThe Print Shop® 6.0 Deluxe --> C:\WINDOWS\UNINST.EXE -f"C:\THEPRI~1\THEPRI~1.0DE\DeIsL1.isu" -c"C:\THEPRI~1\THEPRI~1.0DE\psfinst.dll"Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /uVISTAS2e ICDROM (remove only) --> "C:\Program Files\VISTAS2e\ICDROM\uninstall.exe"WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}Worldlabel.Com Label Designer 4 --> "C:\Program Files\WorldLabel.Com\Label Designer 4\Uninstall\unins000.exe"-- Application Event Log -------------------------------------------------------Event Record #/Type210711 / ErrorEvent Submitted/Written: 09/01/2007 04:33:47 PMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application MySpaceIM.exe, version 1.0.697.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Event Record #/Type210656 / ErrorEvent Submitted/Written: 09/01/2007 09:27:30 AMEvent ID/Source: 100 / AVG7Event Description:2007-09-01 16:27:30,734 D51N8481 [000592:000664] ERROR 000 AVG7.CORE DeviceIoControl failed, err=2Event Record #/Type210655 / ErrorEvent Submitted/Written: 09/01/2007 09:27:30 AMEvent ID/Source: 100 / AVG7Event Description:2007-09-01 16:27:30,234 D51N8481 [000592:000664] ERROR 000 AVG7.CORE DeviceIoControl failed, err=2Event Record #/Type210654 / ErrorEvent Submitted/Written: 09/01/2007 09:27:29 AMEvent ID/Source: 100 / AVG7Event Description:2007-09-01 16:27:29,734 D51N8481 [000592:000664] ERROR 000 AVG7.CORE DeviceIoControl failed, err=2Event Record #/Type210653 / ErrorEvent Submitted/Written: 09/01/2007 09:27:29 AMEvent ID/Source: 100 / AVG7Event Description:2007-09-01 16:27:29,234 D51N8481 [000592:000664] ERROR 000 AVG7.CORE DeviceIoControl failed, err=2-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type159959 / WarningEvent Submitted/Written: 09/02/2007 06:11:43 AMEvent ID/Source: 36 / W32TimeEvent Description:The time service has not been able to synchronize the system timefor 49152 seconds because none of the time providers has been able toprovide a usable time stamp. The system clock is unsynchronized.Event Record #/Type159858 / ErrorEvent Submitted/Written: 09/01/2007 10:00:18 PMEvent ID/Source: 7011 / Service Control ManagerEvent Description:Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.Event Record #/Type159697 / ErrorEvent Submitted/Written: 09/01/2007 09:29:20 AMEvent ID/Source: 1002 / DhcpEvent Description:The IP address lease 192.168.1.64 for the Network Card with network address 00123F9DB902 has beendenied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).Event Record #/Type159693 / ErrorEvent Submitted/Written: 09/01/2007 09:27:27 AMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""in order to run the server:{1BE1F766-5536-11D1-B726-00C04FB926AF}Event Record #/Type159692 / ErrorEvent Submitted/Written: 09/01/2007 09:24:46 AMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1084" attempting to start the service Avg7Alrt with arguments "-Service"in order to run the server:{3486DF65-1D90-406A-A072-30629910F113}-- End of Deckard's System Scanner: finished at 2007-09-02 10:23:35 ------------ Link to post Share on other sites
Andro1d Posted September 2, 2007 Report Share Posted September 2, 2007 (edited) Hey suzannebaer,Step 1Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html O2 - BHO: (no name) - {6f550791-000c-474d-a7ca-69ba91dd00d7} - C:\WINDOWS\system32\grpclt.dll (file missing)O20 - Winlogon Notify: grpclt - grpclt.dll (file missing)O20 - Winlogon Notify: mljji - mljji.dll (file missing)Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis. Step 2Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):C:\WINDOWS\system32\grpclt.dllC:\WINDOWS\system32\mljji.dllC:\WINDOWS\mljji.dllStep 3Download HostsXpert.zipExtract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpertDouble-click HostsXpert.exe to run the program.Click "Make Hosts Writable?" in the upper right corner (If available).Click "Restore Microsoft's Hosts file" and then click "OK".Click the X to exit the program.Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.Step 4Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2...allows end-users to run Java applications".Click the "Download" button to the right.Read the License Agreement and then check the box that says: "Accept License Agreement".The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.Step 5Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Step 6Download and scan with SUPERAntiSpyware Free for Home UsersDouble-click SUPERAntiSpyware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)Under "Configuration and Preferences", click the Preferences button.Click the Scanning Control tab.Under Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.[*]Click the "Close" button to leave the control center screen.[*]Back on the main screen, under "Scan for Harmful Software" click Scan your computer.[*]On the left, make sure you check C:\Fixed Drive.[*]On the right, under "Complete Scan", choose Perform Complete Scan.[*]Click "Next" to start the scan. Please be patient while it scans your computer.[*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".[*]Make sure everything has a checkmark next to it and click "Next".[*]A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.[*]If asked if you want to reboot, click "Yes".[*]To retrieve the removal information after reboot, launch SUPERAntispyware again.Click Preferences, then click the Statistics/Logs tab.Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.Please copy and paste the Scan Log results in your next reply.[*]Click Close to exit the program. Edited September 2, 2007 by MoNsTeReNeRgY22 Link to post Share on other sites
suzannebaer Posted September 3, 2007 Author Report Share Posted September 3, 2007 Here's what I got from SuperAntiSpyware:SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 09/03/2007 at 00:04 AMApplication Version : 3.9.1008Core Rules Database Version : 3298Trace Rules Database Version: 1306Scan type : Complete ScanTotal Scan Time : 01:39:26Memory items scanned : 524Memory threats detected : 0Registry items scanned : 5727Registry threats detected : 1File items scanned : 84565File threats detected : 3Unclassified.Unknown Origin HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}Adware.Tracking Cookie C:\Documents and Settings\Karen\Cookies\karen@1067912086[1].txt C:\Documents and Settings\Karen\Cookies\[email protected][2].txt C:\Documents and Settings\Karen\Cookies\karen@1068527783[1].txt Link to post Share on other sites
Andro1d Posted September 3, 2007 Report Share Posted September 3, 2007 Nice job your log looks clean ! How is it running ?Please use the following suggestion to help prevent reinfection.Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)Now we need to make a new System Restore Point for your PC, please do the followingClick Start, Settings, Control PanelDouble-click the System iconClick the Performance tab, File System, Troubleshooting tabCheck "Turn off System Restore" and click "Apply". Please give a moment as it will delete the old System Restore pointsThen uncheck "Turn off System Restore" which will create a new System Restore pointClick OKI highly recommend downloading the following programs, to keep malware of your computer to begin with.The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.SUPERAntiSpyware - A very powerful tool which searches and kills malware that infect your system. SpywareBlaster - Great prevention tool to keep malware from installing on your system.**Tutorial on installing & using this product can be found HERE**SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.**Tutorial on installing & using this product can be found HERE**IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.**Tutorial on installing & using this product can be found HERE**ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders.AntiVirus Program An AntiVirus program is a must in today's digital world! I recommend avast! 4 Home Edition, AVG, or Anti-Vir. DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more.Firewall A firewall is definitely a must have to protect your computer from hackers. I recommend Comodo, Zone Alarm, or Outpost.**Tutorial on Firewalls can be found HERE**Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.You must stay on top of your updates at all times, for the above mentioned applications.It is vitally important to stay on top of your critical updates provided by microsoft.And finally a little How did I get infected in the first place?(by Tony Klein)Good luck and safe surfing Link to post Share on other sites
suzannebaer Posted September 3, 2007 Author Report Share Posted September 3, 2007 Thank you so much for your help! Things seem to be running well!I already have most of the programs you mentioned at this point, will work on downloading and running the rest. Link to post Share on other sites
Andro1d Posted September 4, 2007 Report Share Posted September 4, 2007 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts