Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My Messy Log

Started by nonlinear , Feb 24 2006 02:17 AM

  • This topic is locked This topic is locked
48 replies to this topic

#1 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 24 February 2006 - 02:17 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:14:52 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inloader.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\System32\gpkcsp.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\MSOffice\Office\MSOFFICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpyCatcher 2006\Protector.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\A\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://store.presari...onsumerfav&c=3c

01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class -

{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program

Files\JUSearch\SearchEnh1.dll
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://home.netscape.../7_0/home.html"); (C:\Documents and

Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplu

gins%5CSBWeb_01.src"); (C:\Documents and Settings\A\Application

Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} -

C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft

Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button

Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher

2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\Run: [gpkcsp] C:\WINDOWS\System32\gpkcsp.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler

daemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk =

C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk =

C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk =

C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher

2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} -

C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?

s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...t/wuweb_site.ca

b?1126990430550
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -

http://www.gamespot....ownload/kdx.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{17AE2F13-8896-4A5E-961E-129F51DAA1A9}:

NameServer = 63.93.96.20 63.93.96.21
O17 -

HKLM\System\CS1\Services\Tcpip\..\{17AE2F13-8896-4A5E-961E-129F51DAA1A9}:

NameServer = 63.93.96.20 63.93.96.21
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: inloader - Unknown owner - C:\WINDOWS\System32\inloader.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. -

C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by nonlinear, 24 February 2006 - 02:33 AM.

    Advertisements

Register to Remove

#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 05 March 2006 - 06:34 AM

If you still need help and haven't posted at another forum, post another log from hijackthis. I will get to it as soon as I can.

Also updating and scanning with Spybot and Ad-aware would be a good idea.
Click here for Instructions on how to Scan with Spybot S&D and Ad-Aware

Also in notepad click format and make sure word wrap is unchecked.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#3 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 06 March 2006 - 02:50 AM

Thanks for your reply and offer to help, little eagle

My new log is below.

In Notepad, word wrap is unchecked.

I ran Spybot again today. Got same "Error During Check! BackOrifice.B [Datei C:\WINDOWS\Wininit.ini kann nicht geoffnet werden. The process cannot access the file because it is being used by..."
This has happened with every check since sometime last year, perhaps around the same time as i lost all Explorer dependent applications.

The frequent explorer-related error message is "Microsoft Visual C++ Runtime Library X Runtime Error! Program:C:\Program Files\Internet Explorer\iexplore.exe The application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information."

An error message i get right after startup, on desktop before any windows are opened is: "KHost.exe - Unable to Locate Compoment This application has failed to start because klws.dll was not found. Reinstalling the application may fix the problem.

I deleted a new program detected by Watchdog - C:\WINDOWS\SYSTEM32\usrv80-a.exe

The first thing i did today was to download,install and run Ad-Aware, per the forum tutorial instructions. It froze up during every Deep Scan, always stopped at a benign folder of text documents - basic letters written by me in a folder titiled KONG. So i did a Smart Scan, quarantining 1 trojan downloader agent and 67 lesser threats. Then i attempted Deep Scan again but same result of unresponsive computer.

I hope this information helps you to help me. Thanks in advance, from nonlinear

Here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:43:24 PM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inloader.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\JUSearch\hcm.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\A\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisea
rch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126990430550
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: inloader - Unknown owner - C:\WINDOWS\System32\inloader.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by nonlinear, 06 March 2006 - 02:54 AM.

#4 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 06 March 2006 - 05:30 AM

Download System Security Suite v1.04 here
Tutorial here.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot in safe mode. Close all Browser and Program Windows.
Have HijackThis fix the following. Do this by checking the box beside each and then clicking on Fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O23 - Service: inloader - Unknown owner - C:\WINDOWS\System32\inloader.exe

You may need to set you computer to show hidden files. Click here for Instructions.
Then click start>my computer>local disk
(then follow the path) or Using Windows Explorer, locate the following files/folders, and delete them:
Delete the following file(s) listed.

C:\WINDOWS\System32\inloader.exe


Reboot then Run 3S under “Items To Clear” tab place a checkmark in all of them but user defined folders.
Reboot and Rescan with HJT and post a new log here.
Also please describe how your computer behaves now.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#5 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 07 March 2006 - 02:14 AM

Okay i did all you suggested. Upon startup, it takes a long time for icons to appear on blank desktop. Then i get the Khost.exe error message to install klws.dll. Tried to open Explorer and got same Runtime error.
But pages load faster since i ran all those anti-spy programs.

Odd recent problem is when i go to a new page and click on it , instead the url addresses drop down, until i click on page several times. Some features of touchpad still disabled, since i got message that computer had detected another device.

Thank you again. Here is my new log.

Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 PM, on 3/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\JUSearch\hcm.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\MSOffice\Office\MSOFFICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\A\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126990430550
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 07 March 2006 - 09:30 AM

The khost.exe process is used by the kontiki 'delivery management system' (DMS). The Kontiki DMS system is used to share and track files across a network or the internet. If you access data that is provided using the Kontiki DMS system you should leave this process running. Otherwise, it can be terminated.

the file klws.dll can be found here http://www.afreedll....o/klws_dll.html

Or you can kill O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe with hijackthis and delete the file.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#7 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 08 March 2006 - 02:43 AM

Any ideas as to how to regain use of internet explorer? Not only for web browsing; the runtime error message comes up whenever i try to open saved documents, email photos and several other actions where it is involved by default. So that is my priority now. If you want to recommend a program to block popups, please do. I have not posted another HJT log since no changes have been made - hope i am correct in thinking that. I did download the file dlws.dll but i see from the last HJT log that i already had 04-HKLM\..\Run:[kdx]... i don't understand why i would get the KHost message before i even tried to open a window or do anything, having just turned the computer on. The computer is definitely less sluggish than it had been. I can't thank you enough for your help with my computer, and everybody else's thank you again, little eagle

Edited by nonlinear, 08 March 2006 - 02:46 AM.

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 08 March 2006 - 08:33 AM

Any ideas as to how to regain use of internet explorer?

http://support.micro...123120121120120

If you want to recommend a program to block popups, please do.

FireFox or google toolbar.

i don't understand why i would get the KHost message before i even tried to open a window or do anything

It was not finding the .dll file.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#9 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 09 March 2006 - 02:54 AM

Tried the obvious (to me) things long before i found my way to this forum. The microsoft pages do not address my particular problem. Uninstalling and reinstalling INTERNET EXPLORER does not help, and it does not help to reinstall Sp2. There are entries on google with my specific RUNTIME ERROR message, but none of them i found had the same situation or system... anyway nothing applicable has come up.

***Spybot still gets :"!Error During Check! BackOrifice.B [Datei C:\WINDOWS\wininit.ini kann nicht geoffnet werden." that it cannot access because this phantom file is supposedly in use.

and still the Khost error message and it is not looking for klws.dll on my behalf, like i said it happens on startup before i have a chance to initiate anything. Today Spycatcher intercepted "Wild Tangent" adware twice, immediately after restarts, and since then i have had several restarts without the message


Logfile of HijackThis v1.99.1
Scan saved at 12:33:13 AM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\A\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126990430550
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17AE2F13-8896-4A5E-961E-129F51DAA1A9}: NameServer = 63.93.96.20 63.93.96.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{17AE2F13-8896-4A5E-961E-129F51DAA1A9}: NameServer = 63.93.96.20 63.93.96.21
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 09 March 2006 - 08:47 AM

Download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite and post the results here.
With a new hijackthis log.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

    Advertisements

Register to Remove

#11 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 09 March 2006 - 03:01 PM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:53:05 PM, 3/9/2006
+ Report-Checksum: 4140D1DE

+ Scan result:

:mozilla.23:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Ignored
:mozilla.6:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.27:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.28:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.29:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.30:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.31:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.32:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.40:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.41:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.44:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.47:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.53:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.58:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.59:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.60:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.61:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.62:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.63:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.64:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.65:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.66:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.69:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.81:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.91:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.92:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.108:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.118:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.119:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.120:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.121:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.125:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.126:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.128:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.129:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.130:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.131:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.132:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.133:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.134:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.135:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.136:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.137:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.138:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.139:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.140:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.141:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.142:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.143:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.155:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.156:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.157:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.158:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.160:C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP515\A0085174.exe -> Downloader.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP516\A0085368.exe -> Downloader.Reqlook.d : Cleaned with backup
C:\WINDOWS\SYSTEM32\test.bmp -> Downloader.Reqlook.d : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:56:06 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\A\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\A\Application Data\Mozilla\Profiles\default\r9wo24w2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126990430550
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17AE2F13-8896-4A5E-961E-129F51DAA1A9}: NameServer = 63.93.96.20 63.93.96.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{17AE2F13-8896-4A5E-961E-129F51DAA1A9}: NameServer = 63.93.96.20 63.93.96.21
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 10 March 2006 - 11:17 AM

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysintern...itRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to peruse and evaluate.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#13 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 11 March 2006 - 03:40 PM

Thanks, it was very interesting to read about rootkits. There were some complications saving my logfile. And then it had to be both found again and not be missing shortcuts. What finally worked was to save in SYSTEM32 (default option, i think) and find again via Notepad on Start Menu. Here is my RootkitRevealer logfile. 18 discrepancies found: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch 3/11/2006 11:55 AM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6319ED0D-B818-464C-916D-4F720997EC44}\DhcpRetryTime 3/11/2006 11:55 AM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6319ED0D-B818-464C-916D-4F720997EC44}\DhcpRetryStatus 3/11/2006 11:55 AM 4 bytes Data mismatch between Windows API and raw hive data. C:\Documents and Settings\A\My Documents\Maps,Topo U.S\Mountain States\TOPOUSA2RMS (D)\layout.bin 4/30/1999 3:12 AM 629 bytes Hidden from Windows API. C:\Documents and Settings\A\My Documents\Maps,Topo U.S\SoutheastU.S\TOPOUSA2RSE (D)\layout.bin 4/30/1999 3:12 AM 629 bytes Hidden from Windows API. C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 3/10/2006 11:45 PM 796 bytes Hidden from Windows API. C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 3/10/2006 11:45 PM 65 bytes Hidden from Windows API. C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 3/10/2006 11:45 PM 176 bytes Hidden from Windows API. C:\New Folder\layout.bin 4/30/1999 3:12 AM 629 bytes Hidden from Windows API. C:\Program Files\COMPAQ\Easy Access Button Support\STARTEAK.exe 10/10/2001 4:14 PM 28.00 KB Hidden from Windows API. C:\Program Files\New Folder\AUDIO\AUDIO\VAZ\DATA.TAG 5/22/1998 1:30 AM 105 bytes Hidden from Windows API. C:\Program Files\New Folder\AUDIO\AUDIO\VAZ\LAYOUT.BIN 5/22/1998 1:30 AM 353 bytes Hidden from Windows API. C:\Program Files\New Folder\AUDIO\New Folder\TOPOUSA2RNE (D)\layout.bin 4/30/1999 3:12 AM 629 bytes Hidden from Windows API. C:\Program Files\New Folder\AUDIO\VAZ\DATA.TAG 5/22/1998 1:30 AM 105 bytes Hidden from Windows API. C:\Program Files\New Folder\AUDIO\VAZ\LAYOUT.BIN 5/22/1998 1:30 AM 353 bytes Hidden from Windows API. C:\Program Files\New Folder\GRAPHICS\PAINTE~9.5\LAYOUT.BIN 9/20/1998 7:12 AM 353 bytes Hidden from Windows API. C:\WINDOWS\SYSTEM32\SynTPFcs.dll 7/27/2001 11:18 AM 64.00 KB Hidden from Windows API. C:\WINDOWS\SYSTEM32\WBEM\wmiutils.dll 8/4/2004 12:56 AM 93.00 KB Hidden from Windows API.

#14 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 12 March 2006 - 08:46 AM

Click \start\run\then type in or paste in

sfc /scannow


You must be logged on as a member of the Administrators group to run sfc.

If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.

Try this link if you have any trouble.

http://www.updatexp....cannow-sfc.html
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#15 nonlinear

nonlinear

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 17 March 2006 - 01:01 AM

sorry there had to be such a long lapse, breaking the continuity of this repair process which i so appreciate your going through with me. When running scannow, Windows file protection demanded i insert the XP cd, which i don't have, just the 3 Compaq QuickRestore disks. So i tried suggestions at updatexp.com . Explored the Restore cds but none of the folder or file names meant anything to me, no folder named 1386. There is a folder in my computer called C:\1386. In regedit i went to HKEY_LOCAL.MACHINR\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup and the source path was C:. Changed it to C:\ per the advice at update.com. No difference when i ran scannow again. Wondered about some registry entries: .dl_ folder and PersistantHandler subfolder in both .dl_ and .dll folders. ***Since last week, when i press F8 for advanced starting options it just pauses startup. No advanced start options and that is the only way i know how to get into Safe Mode. I had left a Compaq QuickRestore cd in the drive and when i resumed windows from hibernation there was a stark screen with message that i would lose all data on my computer if i continued and to immediately eject the cd to prevent this. So i am a little scared of those cds now and i don't know how to reclaim necessary files from them. Of course it didn't work to insert one when asked for the XP Home Editon CD-Rom. Anyway, i think i exhausted the suggestions at the web link and i don't know how to utilize the rstore CDs i have so that scannow can do its thing. What do you suggest?

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·