« previous next »
Pages: [1]   Go Down

Author Topic: For Lisa Only 11/16/05  (Read 2409 times)

0 Members and 1 Guest are viewing this topic.

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
For Lisa Only 11/16/05
« on: November 16, 2005, 02:13:24 AM »
Lisa,

This is the Tues nite/Weds/ morning one we talked about. I'm stuck big time. Help!!!!!

Symptoms under Windows XP SP1 (not sure if all SP1 updates have been done) are

(1) Many things under one umbrella
- Logins to almost everything (Yahoo email, Ebay) lead to this message "If you are seeing this page, your browser settings prevent you from automatically going to a new URL. Please click here to continue" and there is a link (here) to click. Clicking it does nothing. If one backs up once or twice and tries again you are logged in. But Yahoo email will not send email nor can you enter text into an email but the subject line can be entered. A Google search turned up little on this except some others have this problem but few entries. The only one that thought he knew about it said it had to do with cookies and to reset IE settings to default; I did and the problem did not go away.

- Going to vw.com leads to a message about your browser won't allow cookies or something. So I go to Internet Options/Privacy/ and lower the setting to minimum (allow all cookies) and the result is the same.

- Going to various web sites leads to problems backing up, entering text, it varies.

- The Yahoo logo at the top center of the Yahoo page does not show up.

(2) Significant number of Popups and and a two level search toolbar at the bottom of the screen were all completely eliminated by Webroot.

Zone Alarm Firewall is running with Internet Zone set to Medium Security (from High, I changed it) and Trusted Zone to Low Security. The LAN connection is in the Internet Zone.

Macafee is running but BAD BAD BAD it has never been updated. To enable updates you must register and click a link in any email you receive. I never got the email and Macafee says then you must call them on the phone to fix this problem and there is no other way. Also any Macafee scan would be useless due to no updates.

Webroot is now running Real time; a lot of good it will do now that the horse is out of the barn and the milk is spilt.

HJT, Webroot and Ewido logs are below. In Ewido (run in normal mode and updated first) I approved all Removes against Kevins' usual advice but no damage appears to be done; it still reboots and acts the same.

Regards and Help!,
   Mike ???

-------------------------------------------------------------------------------
HJT Log done after Ewido run and then I rebooted to normal mode. Lots of suspicious entries.

-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:24:42 AM, on 11/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\iudf.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Daddio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [hazodwuwu] C:\WINDOWS\System32\caeadjfs.exe
O4 - HKLM\..\Run: [RyN] C:\WINDOWS\iudf.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol hijack: mhtml - 
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-------------------------------------------------------------------------------------------------------




Webroot Log


------------------------------------------------------------------------------------------------------------------

********
10:04 PM: |       Start of Session, Tuesday, November 15, 2005       |
10:04 PM: Spy Sweeper started
10:04 PM: Sweep initiated using definitions version 573
10:04 PM: Starting Memory Sweep
10:08 PM: Memory Sweep Complete, Elapsed Time: 00:03:25
10:08 PM: Starting Registry Sweep
10:08 PM:   Found Adware: websearch toolbar
10:08 PM:   HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\  (8 subtraces) (ID = 146518)
10:08 PM:   Found Adware: whistle
10:08 PM:   HKCR\whistlehlprobj.whistlehlprobj\  (3 subtraces) (ID = 776191)
10:08 PM:   HKCR\whistlehlprobj.whistlehlprobj.1\  (3 subtraces) (ID = 776195)
10:08 PM:   HKCR\typelib\{b8848f69-e8e2-4952-90f2-bc4ef0c22243}\  (9 subtraces) (ID = 776209)
10:08 PM:   HKLM\software\classes\whistlehlprobj.whistlehlprobj\  (3 subtraces) (ID = 776219)
10:08 PM:   HKLM\software\classes\whistlehlprobj.whistlehlprobj.1\  (3 subtraces) (ID = 776223)
10:08 PM:   HKLM\software\classes\typelib\{b8848f69-e8e2-4952-90f2-bc4ef0c22243}\  (9 subtraces) (ID = 776237)
10:08 PM:   Found Adware: coolwebsearch (cws)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1010\software\winshow\  (12 subtraces) (ID = 112497)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1009\software\winshow\  (9 subtraces) (ID = 112497)
10:08 PM:   Found Adware: ist software
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1009\software\ist\  (3 subtraces) (ID = 129108)
10:08 PM:   Found Adware: lopdotcom
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289)
10:08 PM:   Found Adware: search200.com hijacker
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || search200.com (ID = 134078)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || www.search200.com (ID = 134079)
10:08 PM: Registry Sweep Complete, Elapsed Time:00:00:20
10:08 PM: Starting Cookie Sweep
10:08 PM:   Found Spy Cookie: centrport net cookie
10:08 PM:   administrator@centrport[1].txt (ID = 2374)
10:08 PM:   Found Spy Cookie: questionmarket cookie
10:08 PM:   administrator@questionmarket[1].txt (ID = 3217)
10:08 PM:   Found Spy Cookie: specificclick.com cookie
10:08 PM:   daddio@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   Found Spy Cookie: cc214142 cookie
10:08 PM:   daddio@ads.cc214142[2].txt (ID = 2367)
10:08 PM:   daddio@centrport[1].txt (ID = 2374)
10:08 PM:   Found Spy Cookie: ru4 cookie
10:08 PM:   daddio@edge.ru4[1].txt (ID = 3269)
10:08 PM:   daddio@questionmarket[1].txt (ID = 3217)
10:08 PM:   Found Spy Cookie: realmedia cookie
10:08 PM:   daddio@realmedia[1].txt (ID = 3235)
10:08 PM:   Found Spy Cookie: adserver cookie
10:08 PM:   daddio@z1.adserver[1].txt (ID = 2142)
10:08 PM:   Found Spy Cookie: zedo cookie
10:08 PM:   daddio@zedo[1].txt (ID = 3762)
10:08 PM:   Found Spy Cookie: 7search cookie
10:08 PM:   teresa ann@7search[2].txt (ID = 2011)
10:08 PM:   Found Spy Cookie: about cookie
10:08 PM:   teresa ann@about[1].txt (ID = 2037)
10:08 PM:   teresa ann@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   teresa ann@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   Found Spy Cookie: pointroll cookie
10:08 PM:   teresa ann@ads.pointroll[2].txt (ID = 3148)
10:08 PM:   Found Spy Cookie: advertising cookie
10:08 PM:   teresa ann@advertising[2].txt (ID = 2175)
10:08 PM:   Found Spy Cookie: falkag cookie
10:08 PM:   teresa ann@as-us.falkag[2].txt (ID = 2650)
10:08 PM:   Found Spy Cookie: atlas dmt cookie
10:08 PM:   teresa ann@atdmt[2].txt (ID = 2253)
10:08 PM:   Found Spy Cookie: belnk cookie
10:08 PM:   teresa ann@belnk[2].txt (ID = 2292)
10:08 PM:   Found Spy Cookie: goclick cookie
10:08 PM:   teresa ann@c.goclick[2].txt (ID = 2733)
10:08 PM:   Found Spy Cookie: casalemedia cookie
10:08 PM:   teresa ann@casalemedia[1].txt (ID = 2354)
10:08 PM:   teresa ann@dist.belnk[2].txt (ID = 2293)
10:08 PM:   teresa ann@edge.ru4[1].txt (ID = 3269)
10:08 PM:   Found Spy Cookie: fastclick cookie
10:08 PM:   teresa ann@fastclick[2].txt (ID = 2651)
10:08 PM:   Found Spy Cookie: go.com cookie
10:08 PM:   teresa ann@go[2].txt (ID = 2728)
10:08 PM:   Found Spy Cookie: lopdotcom cookie
10:08 PM:   teresa ann@images.lop[1].txt (ID = 2937)
10:08 PM:   Found Spy Cookie: infospace cookie
10:08 PM:   teresa ann@infospace[2].txt (ID = 2865)
10:08 PM:   teresa ann@lop[1].txt (ID = 2936)
10:08 PM:   Found Spy Cookie: metareward.com cookie
10:08 PM:   teresa ann@metareward[1].txt (ID = 2990)
10:08 PM:   Found Spy Cookie: pokerroom cookie
10:08 PM:   teresa ann@pokerroom[1].txt (ID = 3149)
10:08 PM:   Found Spy Cookie: pro-market cookie
10:08 PM:   teresa ann@pro-market[2].txt (ID = 3197)
10:08 PM:   teresa ann@questionmarket[2].txt (ID = 3217)
10:08 PM:   Found Spy Cookie: revenue.net cookie
10:08 PM:   teresa ann@revenue[2].txt (ID = 3257)
10:08 PM:   Found Spy Cookie: servedby advertising cookie
10:08 PM:   teresa ann@servedby.advertising[1].txt (ID = 3335)
10:08 PM:   Found Spy Cookie: server.iad.liveperson cookie
10:08 PM:   teresa ann@server.iad.liveperson[2].txt (ID = 3341)
10:08 PM:   Found Spy Cookie: webtrendslive cookie
10:08 PM:   teresa ann@statse.webtrendslive[2].txt (ID = 3667)
10:08 PM:   Found Spy Cookie: tracking cookie
10:08 PM:   teresa ann@tracking[2].txt (ID = 3571)
10:08 PM:   Found Spy Cookie: tribalfusion cookie
10:08 PM:   teresa ann@tribalfusion[1].txt (ID = 3589)
10:08 PM:   teresa ann@z1.adserver[1].txt (ID = 2142)
10:08 PM:   teresa ann@zedo[1].txt (ID = 3762)
10:08 PM:   Found Spy Cookie: 247realmedia cookie
10:08 PM:   celia wilson@247realmedia[1].txt (ID = 1953)
10:08 PM:   Found Spy Cookie: 2o7.net cookie
10:08 PM:   celia wilson@2o7[2].txt (ID = 1957)
10:08 PM:   Found Spy Cookie: 66.220.17 cookie
10:08 PM:   celia wilson@66.220.17[1].txt (ID = 1991)
10:08 PM:   Found Spy Cookie: 888 cookie
10:08 PM:   celia wilson@888[2].txt (ID = 2019)
10:08 PM:   Found Spy Cookie: adknowledge cookie
10:08 PM:   celia wilson@adknowledge[1].txt (ID = 2072)
10:08 PM:   celia wilson@adopt.specificclick[1].txt (ID = 3400)
10:08 PM:   Found Spy Cookie: adrevolver cookie
10:08 PM:   celia wilson@adrevolver[2].txt (ID = 2088)
10:08 PM:   celia wilson@adrevolver[3].txt (ID = 2088)
10:08 PM:   celia wilson@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   celia wilson@ads.pointroll[1].txt (ID = 3148)
10:08 PM:   Found Spy Cookie: adultfriendfinder cookie
10:08 PM:   celia wilson@adultfriendfinder[1].txt (ID = 2165)
10:08 PM:   celia wilson@advertising[2].txt (ID = 2175)
10:08 PM:   celia wilson@as-us.falkag[2].txt (ID = 2650)
10:08 PM:   celia wilson@atdmt[2].txt (ID = 2253)
10:08 PM:   Found Spy Cookie: atwola cookie
10:08 PM:   celia wilson@atwola[1].txt (ID = 2255)
10:08 PM:   celia wilson@ayb.lop[1].txt (ID = 2934)
10:08 PM:   Found Spy Cookie: azjmp cookie
10:08 PM:   celia wilson@azjmp[1].txt (ID = 2270)
10:08 PM:   Found Spy Cookie: banner cookie
10:08 PM:   celia wilson@banner[2].txt (ID = 2276)
10:08 PM:   celia wilson@belnk[2].txt (ID = 2292)
10:08 PM:   celia wilson@bins.lop[1].txt (ID = 2937)
10:08 PM:   Found Spy Cookie: bs.serving-sys cookie
10:08 PM:   celia wilson@bs.serving-sys[2].txt (ID = 2330)
10:08 PM:   celia wilson@casalemedia[2].txt (ID = 2354)
10:08 PM:   celia wilson@centrport[2].txt (ID = 2374)
10:08 PM:   Found Spy Cookie: did-it cookie
10:08 PM:   celia wilson@did-it[2].txt (ID = 2523)
10:08 PM:   Found Spy Cookie: directtrack cookie
10:08 PM:   celia wilson@directtrack[1].txt (ID = 2527)
10:08 PM:   celia wilson@dist.belnk[2].txt (ID = 2293)
10:08 PM:   celia wilson@edge.ru4[2].txt (ID = 3269)
10:08 PM:   celia wilson@eforcemedia.directtrack[2].txt (ID = 2528)
10:08 PM:   celia wilson@fastclick[2].txt (ID = 2651)
10:08 PM:   celia wilson@go[2].txt (ID = 2728)
10:08 PM:   Found Spy Cookie: hypertracker.com cookie
10:08 PM:   celia wilson@hypertracker[1].txt (ID = 2817)
10:08 PM:   Found Spy Cookie: ic-live cookie
10:08 PM:   celia wilson@ic-live[2].txt (ID = 2821)
10:08 PM:   celia wilson@images.lop[2].txt (ID = 2937)
10:08 PM:   Found Spy Cookie: domainsponsor cookie
10:08 PM:   celia wilson@landing.domainsponsor[1].txt (ID = 2535)
10:08 PM:   celia wilson@lop[1].txt (ID = 2936)
10:08 PM:   celia wilson@metareward[1].txt (ID = 2990)
10:08 PM:   Found Spy Cookie: nextag cookie
10:08 PM:   celia wilson@nextag[2].txt (ID = 5014)
10:08 PM:   Found Spy Cookie: partypoker cookie
10:08 PM:   celia wilson@partypoker[2].txt (ID = 3111)
10:08 PM:   celia wilson@pokerroom[1].txt (ID = 3149)
10:08 PM:   celia wilson@questionmarket[1].txt (ID = 3217)
10:08 PM:   celia wilson@realmedia[2].txt (ID = 3235)
10:08 PM:   Found Spy Cookie: reunion cookie
10:08 PM:   celia wilson@reunion[1].txt (ID = 3255)
10:08 PM:   celia wilson@revenue[2].txt (ID = 3257)
10:08 PM:   Found Spy Cookie: rn11 cookie
10:08 PM:   celia wilson@rn11[2].txt (ID = 3261)
10:08 PM:   Found Spy Cookie: search200 cookie
10:08 PM:   celia wilson@search200[1].txt (ID = 3309)
10:08 PM:   celia wilson@sel.as-us.falkag[1].txt (ID = 2650)
10:08 PM:   celia wilson@servedby.advertising[2].txt (ID = 3335)
10:08 PM:   Found Spy Cookie: serving-sys cookie
10:08 PM:   celia wilson@serving-sys[1].txt (ID = 3343)
10:08 PM:   Found Spy Cookie: dealtime cookie
10:08 PM:   celia wilson@stat.dealtime[1].txt (ID = 2506)
10:08 PM:   Found Spy Cookie: trafficmp cookie
10:08 PM:   celia wilson@trafficmp[1].txt (ID = 3581)
10:08 PM:   celia wilson@tribalfusion[1].txt (ID = 3589)
10:08 PM:   celia wilson@z1.adserver[2].txt (ID = 2142)
10:08 PM:   celia wilson@zedo[1].txt (ID = 3762)
10:08 PM:   jack blais@2o7[2].txt (ID = 1957)
10:08 PM:   jack blais@66.220.17[1].txt (ID = 1991)
10:08 PM:   jack blais@about[1].txt (ID = 2037)
10:08 PM:   jack blais@adknowledge[2].txt (ID = 2072)
10:08 PM:   jack blais@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   jack blais@adrevolver[2].txt (ID = 2088)
10:08 PM:   jack blais@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   jack blais@ads.pointroll[1].txt (ID = 3148)
10:08 PM:   jack blais@advertising[1].txt (ID = 2175)
10:08 PM:   jack blais@atdmt[1].txt (ID = 2253)
10:08 PM:   jack blais@ayb.lop[1].txt (ID = 2934)
10:08 PM:   jack blais@azjmp[2].txt (ID = 2270)
10:08 PM:   jack blais@belnk[1].txt (ID = 2292)
10:08 PM:   jack blais@casalemedia[1].txt (ID = 2354)
10:08 PM:   jack blais@centrport[1].txt (ID = 2374)
10:08 PM:   jack blais@dist.belnk[2].txt (ID = 2293)
10:08 PM:   jack blais@edge.ru4[2].txt (ID = 3269)
10:08 PM:   jack blais@espn.go[2].txt (ID = 2729)
10:08 PM:   jack blais@fastclick[2].txt (ID = 2651)
10:08 PM:   jack blais@go[2].txt (ID = 2728)
10:08 PM:   jack blais@ic-live[1].txt (ID = 2821)
10:08 PM:   jack blais@images.lop[1].txt (ID = 2937)
10:08 PM:   jack blais@landing.domainsponsor[1].txt (ID = 2535)
10:08 PM:   Found Spy Cookie: linksynergy cookie
10:08 PM:   jack blais@linksynergy[2].txt (ID = 2926)
10:08 PM:   jack blais@lop[1].txt (ID = 2936)
10:08 PM:   jack blais@metareward[1].txt (ID = 2990)
10:08 PM:   jack blais@pokerroom[2].txt (ID = 3149)
10:08 PM:   Found Spy Cookie: qksrv cookie
10:08 PM:   jack blais@qksrv[2].txt (ID = 3213)
10:08 PM:   jack blais@questionmarket[2].txt (ID = 3217)
10:08 PM:   jack blais@realmedia[2].txt (ID = 3235)
10:08 PM:   jack blais@revenue[1].txt (ID = 3257)
10:08 PM:   jack blais@rsi.espn.go[1].txt (ID = 2729)
10:08 PM:   jack blais@servedby.advertising[1].txt (ID = 3335)
10:08 PM:   jack blais@serving-sys[2].txt (ID = 3343)
10:08 PM:   jack blais@sports.espn.go[1].txt (ID = 2729)
10:08 PM:   jack blais@trafficmp[2].txt (ID = 3581)
10:08 PM:   jack blais@z1.adserver[1].txt (ID = 2142)
10:08 PM:   jack blais@zedo[1].txt (ID = 3762)
10:08 PM:   elaine blais@2o7[1].txt (ID = 1957)
10:08 PM:   elaine blais@abcnews.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@adknowledge[1].txt (ID = 2072)
10:08 PM:   elaine blais@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   elaine blais@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   elaine blais@ads.pointroll[1].txt (ID = 3148)
10:08 PM:   elaine blais@atdmt[2].txt (ID = 2253)
10:08 PM:   elaine blais@azjmp[2].txt (ID = 2270)
10:08 PM:   elaine blais@belnk[1].txt (ID = 2292)
10:08 PM:   Found Spy Cookie: bizrate cookie
10:08 PM:   elaine blais@bizrate[2].txt (ID = 2308)
10:08 PM:   elaine blais@casalemedia[2].txt (ID = 2354)
10:08 PM:   elaine blais@centrport[1].txt (ID = 2374)
10:08 PM:   elaine blais@disneyshopping.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@dist.belnk[2].txt (ID = 2293)
10:08 PM:   elaine blais@edge.ru4[1].txt (ID = 3269)
10:08 PM:   elaine blais@espn.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@fastclick[1].txt (ID = 2651)
10:08 PM:   elaine blais@go[1].txt (ID = 2728)
10:08 PM:   Found Spy Cookie: belointeractive cookie
10:08 PM:   elaine blais@homepage.belointeractive[1].txt (ID = 2295)
10:08 PM:   Found Spy Cookie: homestore cookie
10:08 PM:   elaine blais@homestore[1].txt (ID = 2793)
10:08 PM:   elaine blais@linksynergy[1].txt (ID = 2926)
10:08 PM:   Found Spy Cookie: maxserving cookie
10:08 PM:   elaine blais@maxserving[2].txt (ID = 2966)
10:08 PM:   elaine blais@msnportal.112.2o7[2].txt (ID = 1958)
10:08 PM:   elaine blais@nextag[1].txt (ID = 5014)
10:08 PM:   Found Spy Cookie: overture cookie
10:08 PM:   elaine blais@perf.overture[1].txt (ID = 3106)
10:08 PM:   elaine blais@questionmarket[1].txt (ID = 3217)
10:08 PM:   elaine blais@realmedia[1].txt (ID = 3235)
10:08 PM:   elaine blais@revenue[1].txt (ID = 3257)
10:08 PM:   elaine blais@rsi.abcnews.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@rsi.espn.go[1].txt (ID = 2729)
10:08 PM:   Found Spy Cookie: searchadnetwork cookie
10:08 PM:   elaine blais@searchadnetwork[2].txt (ID = 3311)
10:08 PM:   elaine blais@server.iad.liveperson[1].txt (ID = 3341)
10:08 PM:   elaine blais@serving-sys[2].txt (ID = 3343)
10:08 PM:   elaine blais@trafficmp[1].txt (ID = 3581)
10:08 PM:   Found Spy Cookie: tripod cookie
10:08 PM:   elaine blais@tripod[1].txt (ID = 3591)
10:08 PM:   elaine blais@www.searchadnetwork[1].txt (ID = 3312)
10:08 PM:   elaine blais@z1.adserver[2].txt (ID = 2142)
10:08 PM:   elaine blais@zedo[1].txt (ID = 3762)
10:08 PM:   mark blais@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   mark blais@adrevolver[2].txt (ID = 2088)
10:08 PM:   mark blais@ads.pointroll[2].txt (ID = 3148)
10:08 PM:   mark blais@atdmt[2].txt (ID = 2253)
10:08 PM:   mark blais@belnk[1].txt (ID = 2292)
10:08 PM:   mark blais@centrport[2].txt (ID = 2374)
10:08 PM:   mark blais@dist.belnk[1].txt (ID = 2293)
10:08 PM:   mark blais@edge.ru4[2].txt (ID = 3269)
10:08 PM:   mark blais@espn.go[2].txt (ID = 2729)
10:08 PM:   mark blais@fastclick[1].txt (ID = 2651)
10:08 PM:   mark blais@go[1].txt (ID = 2728)
10:08 PM:   mark blais@nextag[2].txt (ID = 5014)
10:08 PM:   mark blais@realmedia[1].txt (ID = 3235)
10:08 PM:   mark blais@rsi.espn.go[1].txt (ID = 2729)
10:08 PM:   mark blais@serving-sys[1].txt (ID = 3343)
10:08 PM:   mark blais@z1.adserver[2].txt (ID = 2142)
10:08 PM:   mark blais@zedo[2].txt (ID = 3762)
10:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:20
10:08 PM: Starting File Sweep
10:09 PM:   c:\documents and settings\elaine blais\application data\winshow (ID = -2147481200)
10:09 PM:   c:\documents and settings\teresa ann\application data\winshow (3 subtraces) (ID = -2147481200)
10:09 PM:   gramup.exe (ID = 91)
10:10 PM:   data bias road help.exe (ID = 121)
10:10 PM:   data bias road help.exe (ID = 121)
10:12 PM:   Found Adware: ist yoursitebar
10:12 PM:   ysbactivex.dll (ID = 137714)
10:19 PM:   sklbmdec.exe (ID = 121)
10:21 PM:   gramup.exe (ID = 91)
10:21 PM:   gramup.exe (ID = 91)
10:21 PM:   debughtmname.exe (ID = 90)
10:21 PM:   debughtmname.exe (ID = 90)
10:21 PM:   debughtmname.exe (ID = 90)
10:22 PM:   meet thunk.exe (ID = 162)
10:22 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\Software\Microsoft\Windows\CurrentVersion\Run || greycdrom (ID = 0)
10:22 PM:   peaklocks.exe (ID = 122)
10:22 PM:   HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Ball Mode Joy Ford (ID = 0)
10:22 PM:   meet thunk.exe (ID = 162)
10:22 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1009\Software\Microsoft\Windows\CurrentVersion\Run || greycdrom (ID = 0)
10:22 PM:   stopintra.exe (ID = 122)
10:22 PM:   data bias road help.exe (ID = 121)
10:22 PM:   upload creative.exe (ID = 122)
10:22 PM:   bias grim.exe (ID = 122)
10:22 PM:   meet thunk.exe (ID = 162)
10:22 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1008\Software\Microsoft\Windows\CurrentVersion\Run || greycdrom (ID = 0)
10:22 PM:   wofrwbwt.exe (ID = 121)
10:22 PM:   base bags.exe (ID = 122)
10:22 PM:   winshow.dll (ID = 54622)
10:22 PM:   safe 64.exe (ID = 122)
10:23 PM:   dqqklmpz.exe (ID = 122)
10:23 PM:   ownsspam.exe (ID = 122)
10:23 PM:   hifgrewp.exe (ID = 122)
10:23 PM:   Found Adware: nvdialer
10:23 PM:   games.exe (ID = 137596)
10:23 PM:   emajcare.exe (ID = 122)
10:23 PM:   syuvidyi.exe (ID = 122)
10:23 PM:   wfqslhgn.exe (ID = 122)
10:23 PM:   uujlwobn.exe (ID = 122)
10:23 PM:   apyhkcfj.exe (ID = 122)
10:25 PM: File Sweep Complete, Elapsed Time: 00:16:35
10:25 PM: Full Sweep has completed.  Elapsed time 00:20:52
10:25 PM: Traces Found: 302
10:30 PM: Removal process initiated
10:30 PM:   Quarantining All Traces: lopdotcom
10:30 PM:   lopdotcom is in use.  It will be removed on reboot.
10:30 PM:     gramup.exe is in use.  It will be removed on reboot.
10:30 PM:   Quarantining All Traces: websearch toolbar
10:30 PM:   Quarantining All Traces: coolwebsearch (cws)
10:30 PM:   Quarantining All Traces: ist software
10:30 PM:   Quarantining All Traces: ist yoursitebar
10:30 PM:   Quarantining All Traces: nvdialer
10:30 PM:   Quarantining All Traces: search200.com hijacker
10:30 PM:   Quarantining All Traces: whistle
10:30 PM:   Quarantining All Traces: 247realmedia cookie
10:30 PM:   Quarantining All Traces: 2o7.net cookie
10:30 PM:   Quarantining All Traces: 66.220.17 cookie
10:30 PM:   Quarantining All Traces: 7search cookie
10:30 PM:   Quarantining All Traces: 888 cookie
10:30 PM:   Quarantining All Traces: about cookie
10:30 PM:   Quarantining All Traces: adknowledge cookie
10:30 PM:   Quarantining All Traces: adrevolver cookie
10:30 PM:   Quarantining All Traces: adserver cookie
10:30 PM:   Quarantining All Traces: adultfriendfinder cookie
10:30 PM:   Quarantining All Traces: advertising cookie
10:30 PM:   Quarantining All Traces: atlas dmt cookie
10:30 PM:   Quarantining All Traces: atwola cookie
10:30 PM:   Quarantining All Traces: azjmp cookie
10:30 PM:   Quarantining All Traces: banner cookie
10:30 PM:   Quarantining All Traces: belnk cookie
10:30 PM:   Quarantining All Traces: belointeractive cookie
10:30 PM:   Quarantining All Traces: bizrate cookie
10:30 PM:   Quarantining All Traces: bs.serving-sys cookie
10:30 PM:   Quarantining All Traces: casalemedia cookie
10:30 PM:   Quarantining All Traces: cc214142 cookie
10:30 PM:   Quarantining All Traces: centrport net cookie
10:30 PM:   Quarantining All Traces: dealtime cookie
10:30 PM:   Quarantining All Traces: did-it cookie
10:30 PM:   Quarantining All Traces: directtrack cookie
10:30 PM:   Quarantining All Traces: domainsponsor cookie
10:30 PM:   Quarantining All Traces: falkag cookie
10:30 PM:   Quarantining All Traces: fastclick cookie
10:30 PM:   Quarantining All Traces: go.com cookie
10:30 PM:   Quarantining All Traces: goclick cookie
10:30 PM:   Quarantining All Traces: homestore cookie
10:30 PM:   Quarantining All Traces: hypertracker.com cookie
10:30 PM:   Quarantining All Traces: ic-live cookie
10:30 PM:   Quarantining All Traces: infospace cookie
10:30 PM:   Quarantining All Traces: linksynergy cookie
10:30 PM:   Quarantining All Traces: lopdotcom cookie
10:30 PM:   Quarantining All Traces: maxserving cookie
10:30 PM:   Quarantining All Traces: metareward.com cookie
10:30 PM:   Quarantining All Traces: nextag cookie
10:30 PM:   Quarantining All Traces: overture cookie
10:30 PM:   Quarantining All Traces: partypoker cookie
10:30 PM:   Quarantining All Traces: pointroll cookie
10:30 PM:   Quarantining All Traces: pokerroom cookie
10:30 PM:   Quarantining All Traces: pro-market cookie
10:30 PM:   Quarantining All Traces: qksrv cookie
10:30 PM:   Quarantining All Traces: questionmarket cookie
10:30 PM:   Quarantining All Traces: realmedia cookie
10:30 PM:   Quarantining All Traces: reunion cookie
10:30 PM:   Quarantining All Traces: revenue.net cookie
10:30 PM:   Quarantining All Traces: rn11 cookie
10:30 PM:   Quarantining All Traces: ru4 cookie
10:30 PM:   Quarantining All Traces: search200 cookie
10:30 PM:   Quarantining All Traces: searchadnetwork cookie
10:30 PM:   Quarantining All Traces: servedby advertising cookie
10:30 PM:   Quarantining All Traces: server.iad.liveperson cookie
10:30 PM:   Quarantining All Traces: serving-sys cookie
10:30 PM:   Quarantining All Traces: specificclick.com cookie
10:30 PM:   Quarantining All Traces: tracking cookie
10:30 PM:   Quarantining All Traces: trafficmp cookie
10:30 PM:   Quarantining All Traces: tribalfusion cookie
10:30 PM:   Quarantining All Traces: tripod cookie
10:30 PM:   Quarantining All Traces: webtrendslive cookie
10:30 PM:   Quarantining All Traces: zedo cookie
10:31 PM:   Preparing to restart your computer. Please wait...
10:31 PM: Removal process completed.  Elapsed time 00:01:25
********
10:02 PM: |       Start of Session, Tuesday, November 15, 2005       |
10:02 PM: Spy Sweeper started
10:03 PM: Messenger service has been disabled.
10:03 PM: Your spyware definitions have been updated.
10:04 PM: |       End of Session, Tuesday, November 15, 2005       |



------------------------------------------------------------------------------------------------------------


Ewido Log


---------------------------------------------------------------------------------------------------------

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         12:17:20 AM, 11/16/2005
 + Report-Checksum:      3C06E7A3

 + Scan result:

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/IN.dll\\.Owner -> Spyware.VX2 : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/IN.dll\\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/DS4.dll\\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
   HKU\S-1-5-21-3780936896-177371632-2971193410-1011\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@ehg-console.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@ehg-hitent.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@ehg-jag.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@ehg-salesforce.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Celia Wilson\Cookies\celia wilson@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Daddio\Cookies\daddio@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Daddio\Cookies\daddio@ehg-foxsports.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Daddio\Cookies\daddio@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@ehg-classifiedventures.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@ehg-hollywood.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Elaine Blais\Cookies\elaine blais@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   C:\Documents and Settings\Jack Blais\Cookies\jack blais@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Jack Blais\Cookies\jack blais@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Jack Blais\Cookies\jack blais@ehg-hitent.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Jack Blais\Cookies\jack blais@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Jack Blais\Cookies\jack blais@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Mark Blais\Cookies\mark blais@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Mark Blais\Cookies\mark blais@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Teresa Ann\Application Data\winlink\winlink.dll -> TrojanDownloader.WinShow.l : Cleaned with backup
   C:\Documents and Settings\Teresa Ann\Cookies\teresa ann@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Teresa Ann\Cookies\teresa ann@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Teresa Ann\Cookies\teresa ann@ehg-comcast.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Teresa Ann\Cookies\teresa ann@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Teresa Ann\Cookies\teresa ann@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\ie46bin.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\Q121103.exe -> TrojanDownloader.WinShow.g : Cleaned with backup
   C:\Q230903.exe -> TrojanDownloader.WinShow.c : Cleaned with backup
   C:\WINDOWS\bookmarks.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\IN.dll -> TrojanDownloader.Lookme.a : Cleaned with backup
   C:\WINDOWS\rxox.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\SYSTEM32\0541.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\32TIMEW.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\7k15.exe -> Spyware.Lop : Cleaned with backup
   C:\WINDOWS\SYSTEM32\bd101bk.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\bdjpnk.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\biQ.exe -> TrojanDropper.Agent.og : Cleaned with backup
   C:\WINDOWS\SYSTEM32\CD32M.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\in10b6s.dll -> Adware.eZula : Cleaned with backup
   C:\WINDOWS\SYSTEM32\lspackc.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\MDMPSW.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\msbb.exe_ -> Spyware.180Solutions : Cleaned with backup
   C:\WINDOWS\SYSTEM32\msbb321.dll -> Spyware.180Solutions : Cleaned with backup
   C:\WINDOWS\SYSTEM32\msg118.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\SYSTEM32\msguard.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\SYSTEM32\NSIA.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\NTCACHEF.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\PKL.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\SBUIU.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\ti2dvaga.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\TILMANU.exe -> Trojan.Revop.A : Cleaned with backup
   C:\WINDOWS\SYSTEM32\unimt.exe -> Spyware.PurityScan : Cleaned with backup
   C:\WINDOWS\SYSTEM32\VCHOSTS.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\VDUPGRDD.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\XPANDE.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\_1256C.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\SYSTEM32\_28592C.exe -> Trojan.Revop.d : Cleaned with backup
   C:\WINDOWS\updatetc.exe -> Spyware.Easy : Cleaned with backup


::Report End





Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #1 on: November 16, 2005, 02:40:23 AM »
Lisa,

I also ran Cleanup/Options set to Basic before any scans were done. Also I turned off System Restore and then created one restore point.

Mike
Logged

Offline POADB

  • KRC Lurker
  • *
  • Posts: 437
  • Ready To Do Battle
Re: For Lisa Only 11/16/05
« Reply #2 on: November 16, 2005, 04:16:29 AM »
Hi Mike, just to help Lisa out a little, she may have addressed this via PM - but I like to see every log answered on here :D




Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.  If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido.  If you didn't, do them now.  For more information, go to http://www.greyknight17.com/spyware.htm

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As.  Save it to your desktop.  Right click on that file and choose Install.  It will run immediately (you won't be able to see anything happen).  You may delete it afterwards.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).  In some systems, this may be the F5 key, so try that if F8 doesn't work.  Make sure to close any open browsers. 

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

HotBot Desktop
Viewpoint

Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [hazodwuwu] C:\WINDOWS\System32\caeadjfs.exe
O4 - HKLM\..\Run: [RyN] C:\WINDOWS\iudf.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol hijack: mhtml - 


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Lycos\HotBot Desktop\
C:\WINDOWS\System32\pc32.exe
C:\WINDOWS\System32\caeadjfs.exe
C:\WINDOWS\iudf.exe
C:\Program Files\Viewpoint\

Restart and run a new HijackThis scan.  Save the log file and post it here.
We will also require results from a virus scan, you kwno the routine :D
Logged


:: Ad-aware SE :: ~ ::  Spybot S&D ::

Please help support KRC so that KRC can continue to support you. DONATE

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #3 on: November 16, 2005, 08:29:50 AM »
Mike,

In addition to the above instructions, please do the following:

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As.  Save it to your desktop.  Right click on that file and choose Install.  It will run immediately (you won't be able to see anything happen).  You may delete it afterwards.

While in Safe Mode:

Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

Also, in the Add/Remove programs, if you do not see HotBot Desktop, look for Lycos
 and uninstall it.

Continue with the rest of the instructions.

After rebooting, in the interest of saving time, just run  SpySweeper again and post those results along with a new HJT log.  If you have proper internet access, and have the time, run an online scan at Panda:

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm   *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.
  • Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  • Click On 'Scan Now'
  • Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  • Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  • If it finds any malware, it will offer you a report. Click on see report
  • Then click Save report
  • Post the contents of the report in your next reply



Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #4 on: November 16, 2005, 08:30:36 AM »
POADB,

Thanks for the Post. I can not follow any posted directions till late tonight or Thursday due to three different on-site jobs I am working on today and must leave for soon. However, in order of importance

(1) What SPECIFICALLY in your post will remove or will probably remove all the problems (or most of the problems) in Item (1) in my post (i.e the log-in and cookie thing). Lisa virtually always starts with the Symptoms and says something like "I know what that is, run this to remove that" It is well and good to look for Spyware in the HJT and other logs and design fixes based on that but, more important, the symptoms need to be addressed FIRST. This guy is not paying me to remove 21 kinds of Spyware; he is paying me to remove SPECIFIC symptoms and EVERYTHING in Item (1) he specifically told me he EXPECTS to be gone. And furthermore I verified that everything in Item (1) exists on this PC.

(2) The PC owner is the Corporate Counsel (Chief Lawyer) for Lycos Corporation a world-famous Portal for many years. To my knowledge Hotbot is a standard Lycos toolbar and should be every bit as reliable as the Google toolbar. Hey, come on now, Lycos is not a Spyware company!!  In any case due to the PC owner's job, I will not delete anything from Lycos Corp. product UNLESS you reply that Hotbot is a flagrant Spyware known by Security Analysts the world round (and if it were, how come Webroot and Ewido did not find it and remove it?)

(3) I have already run Webroot, a product that got a over-90% Spyware removal rating from the latest PC World's lab test, and Ewido, winner of  a "New Security product of the year" award and recommended as a standard thing to do BEFORE my FIRST post by Kevin and Lisa.  Ad-aware and Spybot got ratings in the 50 % removal range !! I will not run either UNLESS you specifically want me to run the Ad-aware VX2 plugin and in no other case. (Note: If you check the log, you will find that Ewido cleaned VX2 ). And you have not asked me to run Ad-aware VX2 plugin.

(4) Regarding Viewpoint, if either AIM or AOL are installed on the laptop, I will ask the owner if they are used, especially AIM; there are 5 log-in accounts on this laptop, mostly kids. Many kids use AIM in my experience.  If AIM is used, I will NOT remove Viewpoint; it is a minor Spyware threat and is used by AIM/AOL. Unless you reply with your concerns about this decision.

(5) I will do EVERYTHING else in your instructions and post all requested logs.

(5) For the Virus Scan you request, I will run PandaScan and post log. PLEASE REPLY as to what point in the sequence of events you want me to run Pandascan?
Or, POADB,  do you have a Virus Scan you prefer to PandaScan  (such as AVG)? ; if so please list it with a link. Macafee is out of the question due to the update problem and Kevin feels others are better anyway.

Regards,
   Mike



Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #5 on: November 16, 2005, 08:41:57 AM »
Lisa,

Thank you for your additions to POADB's instructions. Note, however, that POADB had also requested I run the DelO15Domains thing.

Also before replying AGAIN, please read my reply to POADB entered while you were posting.

(1) And MOST important, please identify EXACTLY what in your and POADB's instructions will address the spymptoms in Item (1) in my Post, noting my comments in my reply to POADB this morning.

(2) I will NOT remove Hotbot; the reasons are in my reply to POADB, unless you have a VERY good reason that I can FIRST tell the customer. Like HotBot is KNOWN to cause the EXACT symptoms you are suffering from (i.e those in Item (1) in my original post that started this thread). Or, President Bush has just identified HotBot as a major Terrorism threat to America; as a patriotic American, I am sure that you would not want to.....

(3) Please confirm that PadaScan, recommended in your post, is a good virus scanner that can cover POADB's request to run a virus scanner. Or is a virus scanner really relevant here? Please note that Mcafee is not updated and hence any scans done with it do NOT count.

Regards,
   Mike  ;D
Logged

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #6 on: November 16, 2005, 08:56:36 AM »
Mike, it's not always as simple as "this entry did this, or that entry did that".  The 015 entries have contributed to the browsing problems.  There is a Mastak virus present, amongst other unidentified .exe's--which I believe will be eradicated by our 'fix' but is the reason for the online scan at Panda.  We want an 'outside source' looking in, to verify that. (Panda scan)

I can see the conflict of interest here with Lycos, and you will find conflicting info on ArgoToolbar1063.dll and Lycos. I have found 3 sources that list this particular CLSID from Lycos as safe:
 

http://www.fileresearchcenter.com/A/ARGOTOOLBAR1063.DLL-1558.html
http://www.spywaredata.com/spyware/malware/argotoolbar1063.dll.php
http://72.14.203.104/search?q=cache:tpNJ7ZOguQIJ:www.popupsentry.com/applications.html+ArgoToolbar1063.dll&hl=en

Do what you feel is best Mike. :)

Logged

Offline POADB

  • KRC Lurker
  • *
  • Posts: 437
  • Ready To Do Battle
Re: For Lisa Only 11/16/05
« Reply #7 on: November 16, 2005, 09:14:55 AM »
Lisa/Mike,

I found a list of CLSID's by Merjn the author of HJT, that placed an X next to the BHO.

http://www.castlecops.com/clsid.php?type=10

You'll need to search for it as it's liek a text document. You'll find the file name and clsid with an X next to it. I'm sure Merijn on all people would have a legitamte reason.

Mike, it's best to keep it for the his job pupose. If he's the lawyer, it's best to give lycos a good name... Ignore the removal.
Logged


:: Ad-aware SE :: ~ ::  Spybot S&D ::

Please help support KRC so that KRC can continue to support you. DONATE

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #8 on: November 16, 2005, 09:17:26 AM »
Yes, I'm aware of that POADB which is why I pointed out the 3 links that are calling this particular one 'safe' ;)
Logged

Offline POADB

  • KRC Lurker
  • *
  • Posts: 437
  • Ready To Do Battle
Re: For Lisa Only 11/16/05
« Reply #9 on: November 16, 2005, 09:21:07 AM »
I found those also this morning.. But I didn't really want to argue with Merijn.. just encase he stopped producing HJT :(


lol.
Logged


:: Ad-aware SE :: ~ ::  Spybot S&D ::

Please help support KRC so that KRC can continue to support you. DONATE

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #10 on: November 17, 2005, 09:32:03 PM »
POADB and Lisa,

As Dickens said" It was the best of times, it was the worst of times..."

First the best of times.

All 5 spyware symptoms are gone.
(1) Webroot killed that 2-level Spyware Searchbar at the bottom of the screen and most of the pop-ups.

(2) Your HJT Fix's and Del*** something script fixed the Yahoo and ebay login problem.

(3) A change in the Zone Alarm firewall privacy settings (reduced Cookie Control to lowest setting) fixed the www.vw.com cookie error. MS Internet Options/Privacy setting is left at medium.

(4) The back button now works in cbssportsline.com when clicked once; previously it led to a popup, the 2nd click then worked. And there were a lot of pop-ups at this site from Specific Media, Inc. all advertising the Vacation Outlet, both small popups and an IE broswer popup.

But the 2nd run of Webroot suggested by Lisa fixed this problem too. I do not understand why. All that it did (log below) is delete 5 cookies. But one cookie was from specificclick.com. However this is not the home page for Specific Media, in fact it does not exist. Plus the cookie would have to be for cbssportsline.com anyway.

(5) iTunes now installs and runs. Customer claims it did not before I started work here.

It was the worst of times.

(1) Well, MS beta Real time agents keep popping up about bad things about to happen and I have to block them. Much too much! Changes of home page to s.htm. Changes involving long strings of random alphabetic characters.

(2) Also 2 of the 015 HJT entries get Fixed and are back as soon as you reboot. On of the two Yahoo entries also get's fixed and comes back. BTW, the Yahoo R1 entries did not show up in HJT in Safe mode but do in normal
mode. I fixed both, one is gone; the other keeps coming back. But this could all be OK as all the symptoms and specifically the Yahoo email symptoms are gone.

(3) I cannot get the beloved PandaScan to run so, if time allows, I will run NAV full system scan after buying it. Mcafee which will not update despite many efforts will be removed; it is a trial version anyway.

Pandascan goes thru all statup steps including ActiveX install but it just never starts ! But since all symptoms are gone, this may not be that important.

PLEASE REVIEW LOGS AND (1) ABOVE AND TELL ME WHAT TO DO. I feel this laptop is under attack.

Regards-Mike
---------------------------------------------------------------------

Final HJT log

-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:01:06 PM, on 11/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Daddio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------------------------------------------------------------

Last Webroot Spysweeper log (includes log from previous run too)


-------------------------------------------------------------------

********
12:51 PM: |       Start of Session, Thursday, November 17, 2005       |
12:51 PM: Spy Sweeper started
12:51 PM: Sweep initiated using definitions version 573
12:51 PM: Starting Memory Sweep
12:54 PM: Memory Sweep Complete, Elapsed Time: 00:02:38
12:54 PM: Starting Registry Sweep
12:54 PM: Registry Sweep Complete, Elapsed Time:00:00:17
12:54 PM: Starting Cookie Sweep
12:54 PM:   Found Spy Cookie: specificclick.com cookie
12:54 PM:   daddio@adopt.specificclick[1].txt (ID = 3400)
12:54 PM:   Found Spy Cookie: centrport net cookie
12:54 PM:   daddio@centrport[2].txt (ID = 2374)
12:54 PM:   Found Spy Cookie: nextag cookie
12:54 PM:   daddio@nextag[2].txt (ID = 5014)
12:54 PM:   Found Spy Cookie: questionmarket cookie
12:54 PM:   daddio@questionmarket[2].txt (ID = 3217)
12:54 PM:   Found Spy Cookie: realmedia cookie
12:54 PM:   daddio@realmedia[1].txt (ID = 3235)
12:55 PM: Cookie Sweep Complete, Elapsed Time: 00:00:13
12:55 PM: Starting File Sweep
1:09 PM: File Sweep Complete, Elapsed Time: 00:14:22
1:09 PM: Full Sweep has completed.  Elapsed time 00:17:41
1:09 PM: Traces Found: 5
1:24 PM: Removal process initiated
1:24 PM:   Quarantining All Traces: centrport net cookie
1:24 PM:   Quarantining All Traces: nextag cookie
1:24 PM:   Quarantining All Traces: questionmarket cookie
1:24 PM:   Quarantining All Traces: realmedia cookie
1:24 PM:   Quarantining All Traces: specificclick.com cookie
1:24 PM: Removal process completed.  Elapsed time 00:00:00
********
10:04 PM: |       Start of Session, Tuesday, November 15, 2005       |
10:04 PM: Spy Sweeper started
10:04 PM: Sweep initiated using definitions version 573
10:04 PM: Starting Memory Sweep
10:08 PM: Memory Sweep Complete, Elapsed Time: 00:03:25
10:08 PM: Starting Registry Sweep
10:08 PM:   Found Adware: websearch toolbar
10:08 PM:   HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\  (8 subtraces) (ID = 146518)
10:08 PM:   Found Adware: whistle
10:08 PM:   HKCR\whistlehlprobj.whistlehlprobj\  (3 subtraces) (ID = 776191)
10:08 PM:   HKCR\whistlehlprobj.whistlehlprobj.1\  (3 subtraces) (ID = 776195)
10:08 PM:   HKCR\typelib\{b8848f69-e8e2-4952-90f2-bc4ef0c22243}\  (9 subtraces) (ID = 776209)
10:08 PM:   HKLM\software\classes\whistlehlprobj.whistlehlprobj\  (3 subtraces) (ID = 776219)
10:08 PM:   HKLM\software\classes\whistlehlprobj.whistlehlprobj.1\  (3 subtraces) (ID = 776223)
10:08 PM:   HKLM\software\classes\typelib\{b8848f69-e8e2-4952-90f2-bc4ef0c22243}\  (9 subtraces) (ID = 776237)
10:08 PM:   Found Adware: coolwebsearch (cws)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1010\software\winshow\  (12 subtraces) (ID = 112497)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1009\software\winshow\  (9 subtraces) (ID = 112497)
10:08 PM:   Found Adware: ist software
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1009\software\ist\  (3 subtraces) (ID = 129108)
10:08 PM:   Found Adware: lopdotcom
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289)
10:08 PM:   Found Adware: search200.com hijacker
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || search200.com (ID = 134078)
10:08 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\software\microsoft\internet explorer\new windows\allow\ || www.search200.com (ID = 134079)
10:08 PM: Registry Sweep Complete, Elapsed Time:00:00:20
10:08 PM: Starting Cookie Sweep
10:08 PM:   Found Spy Cookie: centrport net cookie
10:08 PM:   administrator@centrport[1].txt (ID = 2374)
10:08 PM:   Found Spy Cookie: questionmarket cookie
10:08 PM:   administrator@questionmarket[1].txt (ID = 3217)
10:08 PM:   Found Spy Cookie: specificclick.com cookie
10:08 PM:   daddio@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   Found Spy Cookie: cc214142 cookie
10:08 PM:   daddio@ads.cc214142[2].txt (ID = 2367)
10:08 PM:   daddio@centrport[1].txt (ID = 2374)
10:08 PM:   Found Spy Cookie: ru4 cookie
10:08 PM:   daddio@edge.ru4[1].txt (ID = 3269)
10:08 PM:   daddio@questionmarket[1].txt (ID = 3217)
10:08 PM:   Found Spy Cookie: realmedia cookie
10:08 PM:   daddio@realmedia[1].txt (ID = 3235)
10:08 PM:   Found Spy Cookie: adserver cookie
10:08 PM:   daddio@z1.adserver[1].txt (ID = 2142)
10:08 PM:   Found Spy Cookie: zedo cookie
10:08 PM:   daddio@zedo[1].txt (ID = 3762)
10:08 PM:   Found Spy Cookie: 7search cookie
10:08 PM:   teresa ann@7search[2].txt (ID = 2011)
10:08 PM:   Found Spy Cookie: about cookie
10:08 PM:   teresa ann@about[1].txt (ID = 2037)
10:08 PM:   teresa ann@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   teresa ann@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   Found Spy Cookie: pointroll cookie
10:08 PM:   teresa ann@ads.pointroll[2].txt (ID = 3148)
10:08 PM:   Found Spy Cookie: advertising cookie
10:08 PM:   teresa ann@advertising[2].txt (ID = 2175)
10:08 PM:   Found Spy Cookie: falkag cookie
10:08 PM:   teresa ann@as-us.falkag[2].txt (ID = 2650)
10:08 PM:   Found Spy Cookie: atlas dmt cookie
10:08 PM:   teresa ann@atdmt[2].txt (ID = 2253)
10:08 PM:   Found Spy Cookie: belnk cookie
10:08 PM:   teresa ann@belnk[2].txt (ID = 2292)
10:08 PM:   Found Spy Cookie: goclick cookie
10:08 PM:   teresa ann@c.goclick[2].txt (ID = 2733)
10:08 PM:   Found Spy Cookie: casalemedia cookie
10:08 PM:   teresa ann@casalemedia[1].txt (ID = 2354)
10:08 PM:   teresa ann@dist.belnk[2].txt (ID = 2293)
10:08 PM:   teresa ann@edge.ru4[1].txt (ID = 3269)
10:08 PM:   Found Spy Cookie: fastclick cookie
10:08 PM:   teresa ann@fastclick[2].txt (ID = 2651)
10:08 PM:   Found Spy Cookie: go.com cookie
10:08 PM:   teresa ann@go[2].txt (ID = 2728)
10:08 PM:   Found Spy Cookie: lopdotcom cookie
10:08 PM:   teresa ann@images.lop[1].txt (ID = 2937)
10:08 PM:   Found Spy Cookie: infospace cookie
10:08 PM:   teresa ann@infospace[2].txt (ID = 2865)
10:08 PM:   teresa ann@lop[1].txt (ID = 2936)
10:08 PM:   Found Spy Cookie: metareward.com cookie
10:08 PM:   teresa ann@metareward[1].txt (ID = 2990)
10:08 PM:   Found Spy Cookie: pokerroom cookie
10:08 PM:   teresa ann@pokerroom[1].txt (ID = 3149)
10:08 PM:   Found Spy Cookie: pro-market cookie
10:08 PM:   teresa ann@pro-market[2].txt (ID = 3197)
10:08 PM:   teresa ann@questionmarket[2].txt (ID = 3217)
10:08 PM:   Found Spy Cookie: revenue.net cookie
10:08 PM:   teresa ann@revenue[2].txt (ID = 3257)
10:08 PM:   Found Spy Cookie: servedby advertising cookie
10:08 PM:   teresa ann@servedby.advertising[1].txt (ID = 3335)
10:08 PM:   Found Spy Cookie: server.iad.liveperson cookie
10:08 PM:   teresa ann@server.iad.liveperson[2].txt (ID = 3341)
10:08 PM:   Found Spy Cookie: webtrendslive cookie
10:08 PM:   teresa ann@statse.webtrendslive[2].txt (ID = 3667)
10:08 PM:   Found Spy Cookie: tracking cookie
10:08 PM:   teresa ann@tracking[2].txt (ID = 3571)
10:08 PM:   Found Spy Cookie: tribalfusion cookie
10:08 PM:   teresa ann@tribalfusion[1].txt (ID = 3589)
10:08 PM:   teresa ann@z1.adserver[1].txt (ID = 2142)
10:08 PM:   teresa ann@zedo[1].txt (ID = 3762)
10:08 PM:   Found Spy Cookie: 247realmedia cookie
10:08 PM:   celia wilson@247realmedia[1].txt (ID = 1953)
10:08 PM:   Found Spy Cookie: 2o7.net cookie
10:08 PM:   celia wilson@2o7[2].txt (ID = 1957)
10:08 PM:   Found Spy Cookie: 66.220.17 cookie
10:08 PM:   celia wilson@66.220.17[1].txt (ID = 1991)
10:08 PM:   Found Spy Cookie: 888 cookie
10:08 PM:   celia wilson@888[2].txt (ID = 2019)
10:08 PM:   Found Spy Cookie: adknowledge cookie
10:08 PM:   celia wilson@adknowledge[1].txt (ID = 2072)
10:08 PM:   celia wilson@adopt.specificclick[1].txt (ID = 3400)
10:08 PM:   Found Spy Cookie: adrevolver cookie
10:08 PM:   celia wilson@adrevolver[2].txt (ID = 2088)
10:08 PM:   celia wilson@adrevolver[3].txt (ID = 2088)
10:08 PM:   celia wilson@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   celia wilson@ads.pointroll[1].txt (ID = 3148)
10:08 PM:   Found Spy Cookie: adultfriendfinder cookie
10:08 PM:   celia wilson@adultfriendfinder[1].txt (ID = 2165)
10:08 PM:   celia wilson@advertising[2].txt (ID = 2175)
10:08 PM:   celia wilson@as-us.falkag[2].txt (ID = 2650)
10:08 PM:   celia wilson@atdmt[2].txt (ID = 2253)
10:08 PM:   Found Spy Cookie: atwola cookie
10:08 PM:   celia wilson@atwola[1].txt (ID = 2255)
10:08 PM:   celia wilson@ayb.lop[1].txt (ID = 2934)
10:08 PM:   Found Spy Cookie: azjmp cookie
10:08 PM:   celia wilson@azjmp[1].txt (ID = 2270)
10:08 PM:   Found Spy Cookie: banner cookie
10:08 PM:   celia wilson@banner[2].txt (ID = 2276)
10:08 PM:   celia wilson@belnk[2].txt (ID = 2292)
10:08 PM:   celia wilson@bins.lop[1].txt (ID = 2937)
10:08 PM:   Found Spy Cookie: bs.serving-sys cookie
10:08 PM:   celia wilson@bs.serving-sys[2].txt (ID = 2330)
10:08 PM:   celia wilson@casalemedia[2].txt (ID = 2354)
10:08 PM:   celia wilson@centrport[2].txt (ID = 2374)
10:08 PM:   Found Spy Cookie: did-it cookie
10:08 PM:   celia wilson@did-it[2].txt (ID = 2523)
10:08 PM:   Found Spy Cookie: directtrack cookie
10:08 PM:   celia wilson@directtrack[1].txt (ID = 2527)
10:08 PM:   celia wilson@dist.belnk[2].txt (ID = 2293)
10:08 PM:   celia wilson@edge.ru4[2].txt (ID = 3269)
10:08 PM:   celia wilson@eforcemedia.directtrack[2].txt (ID = 2528)
10:08 PM:   celia wilson@fastclick[2].txt (ID = 2651)
10:08 PM:   celia wilson@go[2].txt (ID = 2728)
10:08 PM:   Found Spy Cookie: hypertracker.com cookie
10:08 PM:   celia wilson@hypertracker[1].txt (ID = 2817)
10:08 PM:   Found Spy Cookie: ic-live cookie
10:08 PM:   celia wilson@ic-live[2].txt (ID = 2821)
10:08 PM:   celia wilson@images.lop[2].txt (ID = 2937)
10:08 PM:   Found Spy Cookie: domainsponsor cookie
10:08 PM:   celia wilson@landing.domainsponsor[1].txt (ID = 2535)
10:08 PM:   celia wilson@lop[1].txt (ID = 2936)
10:08 PM:   celia wilson@metareward[1].txt (ID = 2990)
10:08 PM:   Found Spy Cookie: nextag cookie
10:08 PM:   celia wilson@nextag[2].txt (ID = 5014)
10:08 PM:   Found Spy Cookie: partypoker cookie
10:08 PM:   celia wilson@partypoker[2].txt (ID = 3111)
10:08 PM:   celia wilson@pokerroom[1].txt (ID = 3149)
10:08 PM:   celia wilson@questionmarket[1].txt (ID = 3217)
10:08 PM:   celia wilson@realmedia[2].txt (ID = 3235)
10:08 PM:   Found Spy Cookie: reunion cookie
10:08 PM:   celia wilson@reunion[1].txt (ID = 3255)
10:08 PM:   celia wilson@revenue[2].txt (ID = 3257)
10:08 PM:   Found Spy Cookie: rn11 cookie
10:08 PM:   celia wilson@rn11[2].txt (ID = 3261)
10:08 PM:   Found Spy Cookie: search200 cookie
10:08 PM:   celia wilson@search200[1].txt (ID = 3309)
10:08 PM:   celia wilson@sel.as-us.falkag[1].txt (ID = 2650)
10:08 PM:   celia wilson@servedby.advertising[2].txt (ID = 3335)
10:08 PM:   Found Spy Cookie: serving-sys cookie
10:08 PM:   celia wilson@serving-sys[1].txt (ID = 3343)
10:08 PM:   Found Spy Cookie: dealtime cookie
10:08 PM:   celia wilson@stat.dealtime[1].txt (ID = 2506)
10:08 PM:   Found Spy Cookie: trafficmp cookie
10:08 PM:   celia wilson@trafficmp[1].txt (ID = 3581)
10:08 PM:   celia wilson@tribalfusion[1].txt (ID = 3589)
10:08 PM:   celia wilson@z1.adserver[2].txt (ID = 2142)
10:08 PM:   celia wilson@zedo[1].txt (ID = 3762)
10:08 PM:   jack blais@2o7[2].txt (ID = 1957)
10:08 PM:   jack blais@66.220.17[1].txt (ID = 1991)
10:08 PM:   jack blais@about[1].txt (ID = 2037)
10:08 PM:   jack blais@adknowledge[2].txt (ID = 2072)
10:08 PM:   jack blais@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   jack blais@adrevolver[2].txt (ID = 2088)
10:08 PM:   jack blais@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   jack blais@ads.pointroll[1].txt (ID = 3148)
10:08 PM:   jack blais@advertising[1].txt (ID = 2175)
10:08 PM:   jack blais@atdmt[1].txt (ID = 2253)
10:08 PM:   jack blais@ayb.lop[1].txt (ID = 2934)
10:08 PM:   jack blais@azjmp[2].txt (ID = 2270)
10:08 PM:   jack blais@belnk[1].txt (ID = 2292)
10:08 PM:   jack blais@casalemedia[1].txt (ID = 2354)
10:08 PM:   jack blais@centrport[1].txt (ID = 2374)
10:08 PM:   jack blais@dist.belnk[2].txt (ID = 2293)
10:08 PM:   jack blais@edge.ru4[2].txt (ID = 3269)
10:08 PM:   jack blais@espn.go[2].txt (ID = 2729)
10:08 PM:   jack blais@fastclick[2].txt (ID = 2651)
10:08 PM:   jack blais@go[2].txt (ID = 2728)
10:08 PM:   jack blais@ic-live[1].txt (ID = 2821)
10:08 PM:   jack blais@images.lop[1].txt (ID = 2937)
10:08 PM:   jack blais@landing.domainsponsor[1].txt (ID = 2535)
10:08 PM:   Found Spy Cookie: linksynergy cookie
10:08 PM:   jack blais@linksynergy[2].txt (ID = 2926)
10:08 PM:   jack blais@lop[1].txt (ID = 2936)
10:08 PM:   jack blais@metareward[1].txt (ID = 2990)
10:08 PM:   jack blais@pokerroom[2].txt (ID = 3149)
10:08 PM:   Found Spy Cookie: qksrv cookie
10:08 PM:   jack blais@qksrv[2].txt (ID = 3213)
10:08 PM:   jack blais@questionmarket[2].txt (ID = 3217)
10:08 PM:   jack blais@realmedia[2].txt (ID = 3235)
10:08 PM:   jack blais@revenue[1].txt (ID = 3257)
10:08 PM:   jack blais@rsi.espn.go[1].txt (ID = 2729)
10:08 PM:   jack blais@servedby.advertising[1].txt (ID = 3335)
10:08 PM:   jack blais@serving-sys[2].txt (ID = 3343)
10:08 PM:   jack blais@sports.espn.go[1].txt (ID = 2729)
10:08 PM:   jack blais@trafficmp[2].txt (ID = 3581)
10:08 PM:   jack blais@z1.adserver[1].txt (ID = 2142)
10:08 PM:   jack blais@zedo[1].txt (ID = 3762)
10:08 PM:   elaine blais@2o7[1].txt (ID = 1957)
10:08 PM:   elaine blais@abcnews.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@adknowledge[1].txt (ID = 2072)
10:08 PM:   elaine blais@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   elaine blais@ads.cc214142[1].txt (ID = 2367)
10:08 PM:   elaine blais@ads.pointroll[1].txt (ID = 3148)
10:08 PM:   elaine blais@atdmt[2].txt (ID = 2253)
10:08 PM:   elaine blais@azjmp[2].txt (ID = 2270)
10:08 PM:   elaine blais@belnk[1].txt (ID = 2292)
10:08 PM:   Found Spy Cookie: bizrate cookie
10:08 PM:   elaine blais@bizrate[2].txt (ID = 2308)
10:08 PM:   elaine blais@casalemedia[2].txt (ID = 2354)
10:08 PM:   elaine blais@centrport[1].txt (ID = 2374)
10:08 PM:   elaine blais@disneyshopping.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@dist.belnk[2].txt (ID = 2293)
10:08 PM:   elaine blais@edge.ru4[1].txt (ID = 3269)
10:08 PM:   elaine blais@espn.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@fastclick[1].txt (ID = 2651)
10:08 PM:   elaine blais@go[1].txt (ID = 2728)
10:08 PM:   Found Spy Cookie: belointeractive cookie
10:08 PM:   elaine blais@homepage.belointeractive[1].txt (ID = 2295)
10:08 PM:   Found Spy Cookie: homestore cookie
10:08 PM:   elaine blais@homestore[1].txt (ID = 2793)
10:08 PM:   elaine blais@linksynergy[1].txt (ID = 2926)
10:08 PM:   Found Spy Cookie: maxserving cookie
10:08 PM:   elaine blais@maxserving[2].txt (ID = 2966)
10:08 PM:   elaine blais@msnportal.112.2o7[2].txt (ID = 1958)
10:08 PM:   elaine blais@nextag[1].txt (ID = 5014)
10:08 PM:   Found Spy Cookie: overture cookie
10:08 PM:   elaine blais@perf.overture[1].txt (ID = 3106)
10:08 PM:   elaine blais@questionmarket[1].txt (ID = 3217)
10:08 PM:   elaine blais@realmedia[1].txt (ID = 3235)
10:08 PM:   elaine blais@revenue[1].txt (ID = 3257)
10:08 PM:   elaine blais@rsi.abcnews.go[1].txt (ID = 2729)
10:08 PM:   elaine blais@rsi.espn.go[1].txt (ID = 2729)
10:08 PM:   Found Spy Cookie: searchadnetwork cookie
10:08 PM:   elaine blais@searchadnetwork[2].txt (ID = 3311)
10:08 PM:   elaine blais@server.iad.liveperson[1].txt (ID = 3341)
10:08 PM:   elaine blais@serving-sys[2].txt (ID = 3343)
10:08 PM:   elaine blais@trafficmp[1].txt (ID = 3581)
10:08 PM:   Found Spy Cookie: tripod cookie
10:08 PM:   elaine blais@tripod[1].txt (ID = 3591)
10:08 PM:   elaine blais@www.searchadnetwork[1].txt (ID = 3312)
10:08 PM:   elaine blais@z1.adserver[2].txt (ID = 2142)
10:08 PM:   elaine blais@zedo[1].txt (ID = 3762)
10:08 PM:   mark blais@adopt.specificclick[2].txt (ID = 3400)
10:08 PM:   mark blais@adrevolver[2].txt (ID = 2088)
10:08 PM:   mark blais@ads.pointroll[2].txt (ID = 3148)
10:08 PM:   mark blais@atdmt[2].txt (ID = 2253)
10:08 PM:   mark blais@belnk[1].txt (ID = 2292)
10:08 PM:   mark blais@centrport[2].txt (ID = 2374)
10:08 PM:   mark blais@dist.belnk[1].txt (ID = 2293)
10:08 PM:   mark blais@edge.ru4[2].txt (ID = 3269)
10:08 PM:   mark blais@espn.go[2].txt (ID = 2729)
10:08 PM:   mark blais@fastclick[1].txt (ID = 2651)
10:08 PM:   mark blais@go[1].txt (ID = 2728)
10:08 PM:   mark blais@nextag[2].txt (ID = 5014)
10:08 PM:   mark blais@realmedia[1].txt (ID = 3235)
10:08 PM:   mark blais@rsi.espn.go[1].txt (ID = 2729)
10:08 PM:   mark blais@serving-sys[1].txt (ID = 3343)
10:08 PM:   mark blais@z1.adserver[2].txt (ID = 2142)
10:08 PM:   mark blais@zedo[2].txt (ID = 3762)
10:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:20
10:08 PM: Starting File Sweep
10:09 PM:   c:\documents and settings\elaine blais\application data\winshow (ID = -2147481200)
10:09 PM:   c:\documents and settings\teresa ann\application data\winshow (3 subtraces) (ID = -2147481200)
10:09 PM:   gramup.exe (ID = 91)
10:10 PM:   data bias road help.exe (ID = 121)
10:10 PM:   data bias road help.exe (ID = 121)
10:12 PM:   Found Adware: ist yoursitebar
10:12 PM:   ysbactivex.dll (ID = 137714)
10:19 PM:   sklbmdec.exe (ID = 121)
10:21 PM:   gramup.exe (ID = 91)
10:21 PM:   gramup.exe (ID = 91)
10:21 PM:   debughtmname.exe (ID = 90)
10:21 PM:   debughtmname.exe (ID = 90)
10:21 PM:   debughtmname.exe (ID = 90)
10:22 PM:   meet thunk.exe (ID = 162)
10:22 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1007\Software\Microsoft\Windows\CurrentVersion\Run || greycdrom (ID = 0)
10:22 PM:   peaklocks.exe (ID = 122)
10:22 PM:   HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Ball Mode Joy Ford (ID = 0)
10:22 PM:   meet thunk.exe (ID = 162)
10:22 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1009\Software\Microsoft\Windows\CurrentVersion\Run || greycdrom (ID = 0)
10:22 PM:   stopintra.exe (ID = 122)
10:22 PM:   data bias road help.exe (ID = 121)
10:22 PM:   upload creative.exe (ID = 122)
10:22 PM:   bias grim.exe (ID = 122)
10:22 PM:   meet thunk.exe (ID = 162)
10:22 PM:   HKU\WRSS_Profile_S-1-5-21-3780936896-177371632-2971193410-1008\Software\Microsoft\Windows\CurrentVersion\Run || greycdrom (ID = 0)
10:22 PM:   wofrwbwt.exe (ID = 121)
10:22 PM:   base bags.exe (ID = 122)
10:22 PM:   winshow.dll (ID = 54622)
10:22 PM:   safe 64.exe (ID = 122)
10:23 PM:   dqqklmpz.exe (ID = 122)
10:23 PM:   ownsspam.exe (ID = 122)
10:23 PM:   hifgrewp.exe (ID = 122)
10:23 PM:   Found Adware: nvdialer
10:23 PM:   games.exe (ID = 137596)
10:23 PM:   emajcare.exe (ID = 122)
10:23 PM:   syuvidyi.exe (ID = 122)
10:23 PM:   wfqslhgn.exe (ID = 122)
10:23 PM:   uujlwobn.exe (ID = 122)
10:23 PM:   apyhkcfj.exe (ID = 122)
10:25 PM: File Sweep Complete, Elapsed Time: 00:16:35
10:25 PM: Full Sweep has completed.  Elapsed time 00:20:52
10:25 PM: Traces Found: 302
10:30 PM: Removal process initiated
10:30 PM:   Quarantining All Traces: lopdotcom
10:30 PM:   lopdotcom is in use.  It will be removed on reboot.
10:30 PM:     gramup.exe is in use.  It will be removed on reboot.
10:30 PM:   Quarantining All Traces: websearch toolbar
10:30 PM:   Quarantining All Traces: coolwebsearch (cws)
10:30 PM:   Quarantining All Traces: ist software
10:30 PM:   Quarantining All Traces: ist yoursitebar
10:30 PM:   Quarantining All Traces: nvdialer
10:30 PM:   Quarantining All Traces: search200.com hijacker
10:30 PM:   Quarantining All Traces: whistle
10:30 PM:   Quarantining All Traces: 247realmedia cookie
10:30 PM:   Quarantining All Traces: 2o7.net cookie
10:30 PM:   Quarantining All Traces: 66.220.17 cookie
10:30 PM:   Quarantining All Traces: 7search cookie
10:30 PM:   Quarantining All Traces: 888 cookie
10:30 PM:   Quarantining All Traces: about cookie
10:30 PM:   Quarantining All Traces: adknowledge cookie
10:30 PM:   Quarantining All Traces: adrevolver cookie
10:30 PM:   Quarantining All Traces: adserver cookie
10:30 PM:   Quarantining All Traces: adultfriendfinder cookie
10:30 PM:   Quarantining All Traces: advertising cookie
10:30 PM:   Quarantining All Traces: atlas dmt cookie
10:30 PM:   Quarantining All Traces: atwola cookie
10:30 PM:   Quarantining All Traces: azjmp cookie
10:30 PM:   Quarantining All Traces: banner cookie
10:30 PM:   Quarantining All Traces: belnk cookie
10:30 PM:   Quarantining All Traces: belointeractive cookie
10:30 PM:   Quarantining All Traces: bizrate cookie
10:30 PM:   Quarantining All Traces: bs.serving-sys cookie
10:30 PM:   Quarantining All Traces: casalemedia cookie
10:30 PM:   Quarantining All Traces: cc214142 cookie
10:30 PM:   Quarantining All Traces: centrport net cookie
10:30 PM:   Quarantining All Traces: dealtime cookie
10:30 PM:   Quarantining All Traces: did-it cookie
10:30 PM:   Quarantining All Traces: directtrack cookie
10:30 PM:   Quarantining All Traces: domainsponsor cookie
10:30 PM:   Quarantining All Traces: falkag cookie
10:30 PM:   Quarantining All Traces: fastclick cookie
10:30 PM:   Quarantining All Traces: go.com cookie
10:30 PM:   Quarantining All Traces: goclick cookie
10:30 PM:   Quarantining All Traces: homestore cookie
10:30 PM:   Quarantining All Traces: hypertracker.com cookie
10:30 PM:   Quarantining All Traces: ic-live cookie
10:30 PM:   Quarantining All Traces: infospace cookie
10:30 PM:   Quarantining All Traces: linksynergy cookie
10:30 PM:   Quarantining All Traces: lopdotcom cookie
10:30 PM:   Quarantining All Traces: maxserving cookie
10:30 PM:   Quarantining All Traces: metareward.com cookie
10:30 PM:   Quarantining All Traces: nextag cookie
10:30 PM:   Quarantining All Traces: overture cookie
10:30 PM:   Quarantining All Traces: partypoker cookie
10:30 PM:   Quarantining All Traces: pointroll cookie
10:30 PM:   Quarantining All Traces: pokerroom cookie
10:30 PM:   Quarantining All Traces: pro-market cookie
10:30 PM:   Quarantining All Traces: qksrv cookie
10:30 PM:   Quarantining All Traces: questionmarket cookie
10:30 PM:   Quarantining All Traces: realmedia cookie
10:30 PM:   Quarantining All Traces: reunion cookie
10:30 PM:   Quarantining All Traces: revenue.net cookie
10:30 PM:   Quarantining All Traces: rn11 cookie
10:30 PM:   Quarantining All Traces: ru4 cookie
10:30 PM:   Quarantining All Traces: search200 cookie
10:30 PM:   Quarantining All Traces: searchadnetwork cookie
10:30 PM:   Quarantining All Traces: servedby advertising cookie
10:30 PM:   Quarantining All Traces: server.iad.liveperson cookie
10:30 PM:   Quarantining All Traces: serving-sys cookie
10:30 PM:   Quarantining All Traces: specificclick.com cookie
10:30 PM:   Quarantining All Traces: tracking cookie
10:30 PM:   Quarantining All Traces: trafficmp cookie
10:30 PM:   Quarantining All Traces: tribalfusion cookie
10:30 PM:   Quarantining All Traces: tripod cookie
10:30 PM:   Quarantining All Traces: webtrendslive cookie
10:30 PM:   Quarantining All Traces: zedo cookie
10:31 PM:   Preparing to restart your computer. Please wait...
10:31 PM: Removal process completed.  Elapsed time 00:01:25
12:23 AM: Sent error log: C:\Documents and Settings\Daddio\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
10:15 AM: IE Security Shield:  found: C:\WINDOWS\SYSTEM32\RUNDLL32.EXE -- IE Security modification allowed at user request
12:51 PM: Updating spyware definitions
12:51 PM: Your definitions are up to date.
12:51 PM: Updating spyware definitions
12:51 PM: Your definitions are up to date.
12:51 PM: |       End of Session, Thursday, November 17, 2005       |
********
10:02 PM: |       Start of Session, Tuesday, November 15, 2005       |
10:02 PM: Spy Sweeper started
10:03 PM: Messenger service has been disabled.
10:03 PM: Your spyware definitions have been updated.
10:04 PM: |       End of Session, Tuesday, November 15, 2005       |








Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #11 on: November 18, 2005, 04:31:12 AM »
It was the worst of times...

(4) All the Specific Media, Inc. popups when at cbssportsline.com are NOT gone contrary to what I said above. They are rare, not constant when at tha CBS site as they were before. They are not IE broswer windows. They say Specific Media, Inc. in the top bar of their little Window. The ad is no longer for Vacation Outlet, now for something else.

I did a Google Search for Speciific Media, Inc. Some matches said to look for GOGO something and a few said to look for GOGOLAUNCH.exe. I did a HD search for Gogo including hiddenfolders and found NO matches on this PC !!!

If you know how to address this let me know. BTW some sites (inclduing all MLB team sites) have a few pop-ups that come up with random ads. How do I know this? Because if I turn off the SP2 pop-up blocker on my home PC, and go to the Red Sox or Yankee site I see them. I do not necessarily consider them Spyware. 

If this PC, which has XP SP1, was upgraded to SP2, this would probably go unseen. But I do not want to take an hour to do that upgrade.

If you can find a way to get rid of this fairly rare pop-up, please let me know.

Regards-Mike
Logged

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #12 on: November 18, 2005, 07:57:21 AM »
Hi Mike,

Something is putting those 015 entries back in.

I can't 'fix' what I don't see. :)? An online scan would tell me more.? Do not run another installed AV--try this online scanner instead:

Perform an online scan with Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
? *The program will launch and then begin downloading the latest definition files:
? *Once the files have been downloaded click on NEXT
? *Now click on Scan Settings
? *In the scan settings make that the following are selected:
? ? ? ?*Scan using the following Anti-Virus database:
? ? ? ?*Standard
? ? ? ?*Scan Options:
? ? ? ?*Scan Archives
? ? ? ?*Scan Mail Bases
? ? ? ?*Click OK
? *Now under select a target to scan:
? ? ? ?*Select My Computer
? *This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
? *Once the scan is complete it will display if your system has been infected.
? ? ? ?*Now click on the Save as Text button:
? *Save the file to your desktop.
? *Copy and paste that information in your next post along with a new HijackThis log.

« Last Edit: November 18, 2005, 08:18:40 AM by Lisa »
Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #13 on: November 18, 2005, 11:59:04 AM »
Lisa,

Here are the  3 logs after our phone call:

Regards-Mike 8)

Kapersky log
---------------------------------------

-------------------------------------------------------------------------------
 KASPERSKY ON-LINE SCANNER REPORT
 Friday, November 18, 2005 10:39:13
 Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
 Kaspersky On-line Scanner version: 5.0.67.0
 Kaspersky Anti-Virus database last update: 18/11/2005
 Kaspersky Anti-Virus database records: 150813
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - Critical Areas:
   C:\WINDOWS
   C:\DOCUME~1\Daddio\LOCALS~1\Temp\

Scan Statistics:
   Total number of scanned objects: 14152
   Number of viruses found: 5
   Number of infected objects: 187
   Number of suspicious objects: 0
   Duration of the scan process: 919 sec

Infected Object Name - Virus Name
C:\WINDOWS\actulice.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\Downloaded Program Files\loader2.ocx   Infected: Trojan-Downloader.Win32.Agent.ex
C:\WINDOWS\Downloaded Program Files\screload-yesup.exe   Infected: Trojan-Downloader.Win32.Vivia.l
C:\WINDOWS\SYSTEM32\2312GB.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\32TMW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\3D8D.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\5c61ase.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\7VGAV.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ACPLDLGR.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\acsTrayB.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ACTSRVX.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ANTZDI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\API32M.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\arpdllc.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\asexinfob.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ASMANR.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\atsrvutc.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\AUTOENRP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\B16K.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\B2312G.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BASEPS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDBENEK.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDCANK.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDESK.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDGKLK.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDGRK.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDHE220K.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDLT1K.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDLV1K.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BDPL1K.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\BJSELO.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\CBDYCTLR.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\CDLIB32P.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\CMSETUPT.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\CROBJS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\CXPNTN.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\D1394K.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\DBCCONFO.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\DBCTRACO.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\DDBUIRoxioC.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\de21201i.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\DESKB.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\di32g.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ECUPDS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ECURITYS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ERFCIP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ERMSRVT.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ERTMGRC.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ET1N.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ETLOGONN.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ETUNAMEG.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\EXPRESSI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\FC_OSS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\fpcd11nl.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\FRGFATD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\GA256V.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\GSH400J.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\HARES.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\HCPD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\HDOCLCS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\HKDSKC.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\HUIA.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\i2dvagat.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\IAACMGRW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\IANTZD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\IMEFILTM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\in32kw.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\IN32SPLW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\inar30w.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\incorew.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\inlogonw.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\INMMW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\INOLDAPW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\INPUTD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\IODMC.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\IRCOMX.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\JLMONP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\lackboxb.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\lbcatexc.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\LEACCRCO.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\LETHK32O.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\LGA.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\LMONPJ.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\M31IMGI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MAPIB.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MCFG32C.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MIFSF.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MIMED.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MM32I.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MMKCERTN.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MPCDW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\mpcorew.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MSDMOEW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\MUTILD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\NETCFGH.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\NETCOMMI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\NLODCTRU.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\NXPLR.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OCALEL.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OCPROP2D.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OCPROPD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ogagentl.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OMCATC.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\omctl32c.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OMRESC.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OPOMOFOB.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\OW32W.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\PBDE40MS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\PCONVGR.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\PNSVRD.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\PRTRMGRI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\PXCOINSS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\PXWANI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\QLWOAS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\RITEW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\RLMONU.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\RNXPL.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ROCTEXEP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\RODSPECP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\RPCONVG.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ryptsvcc.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SBASEP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SBMONU.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\scomct2m.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\scomctlM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\scriptj.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\sdartm.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SDPAPIS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SE.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SENTPRFE.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SENTUTLE.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\setup_incred_9.exe/data0002/data0002   Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\setup_incred_9.exe/data0002/data0004   Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\setup_incred_9.exe/data0002/data0005   Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\setup_incred_9.exe/data0002   Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\setup_incred_9.exe/data0008   Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\SYSTEM32\setup_incred_9.exe/data0009   Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\SYSTEM32\setup_incred_9.exe   Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\SYSTEM32\SFCI005H.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SHIP6W.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SIMSGM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SIMTFM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SISAM11M.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\sjint35m.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\sjint40m.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\sjter35m.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SMANRA.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SMARQUES.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SNPPAGNP.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SOERT2M.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SP10U.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\spdox35m.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SR2CM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SRLOGONU.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SRMGRLU.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SRV42AU.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SSADMINV.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SSAPIV.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SSIGN32M.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SSOIX.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SSTKPRPM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SVCP50M.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SVCRT20M.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SWAVED.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\SXML3RM.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\sxml4m.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\tfil11nl.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\TICONSH.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\tiidtxxA.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\TL3DV2C.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\TMSMGRN.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\toskrnln.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\TREAMCIS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\uauengw.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\UERYQ.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\UNASR.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\USRMGRL.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\V4_DISPN.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\xbtl.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\xbtsnlsl.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\XSSOI.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\YNCAPPS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\YSPRINTS.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\ZCDLGW.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\_1257C.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\_28598C.exe   Infected: Trojan.Win32.Revop.b
C:\WINDOWS\SYSTEM32\_28599C.exe   Infected: Trojan.Win32.Revop.b

Scan process completed.


-----------------------------------------------------------------------------------------------------



StartDrek log


--------------------------------------------------------------------------

StartDreck (build 2.1.7 public stable) - 2005-11-18 @ 10:50:32 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Daddio at JACKBEAN

?Registry
 ?Run Keys
  ?Current User
   ?Run
    *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
   ?RunOnce
  ?Default User
   ?Run
   ?RunOnce
  ?Local Machine
   ?Run
    *ATIModeChange=Ati2mdxx.exe
    *CARPService=carpserv.exe
    *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    *DVDSentry=C:\WINDOWS\System32\DSentry.exe
    *MCAgentExe=C:\Program Files\McAfee.com\Agent\mcagent.exe
    *MCUpdateExe=C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    *VirusScan Online=c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    *DwlClient=C:\Program Files\Common Files\Dell\EUSW\Support.exe
    *Lexmark 5200 series="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    *FaxCenterServer="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    *LXBTCATS=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
    *WLMonWPC54G=C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
    *OdTray.exe="C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
    *Indexer=C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
    *InstallMgr=C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
    *gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    *iTunesHelper="C:\Program Files\iTunes\iTunesHelper.exe"
    +OptionalComponents
     +MSFS
      *Installed=1
     +MAPI
      *Installed=1
      *NoChange=1
     +MAPI
      *Installed=1
      *NoChange=1
   ?RunOnce
   ?RunServices
   ?RunServicesOnce
   ?RunOnceEx
   ?RunServicesOnceEx
 ?File Associations (CR)
  +.bat
   *batfile="%1" %*
  +.com
   *comfile="%1" %*
  +.disabled
   *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
  +.exe
   *exefile="%1" %*
  +.hta
   *htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
  +.htm
   *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
  +.html
   *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
  +.js
   *JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.jse
   *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.pif
   *piffile="%1" %*
  +.reg
   *regfile=regedit.exe "%1"
  +.scr
   *scrfile="%1" /S
  +.txt
   *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
  +.vbs
   *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.vbe
   *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.wsh
   *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.wsf
   *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.lnk
   `lnkfile= [key or value does not exist]
 ?Active Setup (LM)
  +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
   *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
  +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
   *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
  +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
   *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
  +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
   *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
  +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
   *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
  +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
  +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
   *StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
  +Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
  +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
   *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
  +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
   *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
  +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
   *StubPath=regsvr32.exe /s /n /i:U shell32.dll
  +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
   *StubPath=%SystemRoot%\system32\ie4uinit.exe
 ?Browser Helper Objects (LM)
  *SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
   `InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll
  *{53707962-6F74-2D53-2644-206D7942484F}
   `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
 ?Internet Explorer
  ?Current User
   *Default_Page_URL=http://www.dellnet.com
   *Local Page=C:\WINDOWS\System32\blank.htm
   *Search Bar=http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
   *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
   *Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
   +SearchUrl
    *provider=
  ?Default User
   *Default_Page_URL=http://www.dellnet.com
   *Local Page=C:\WINDOWS\System32\blank.htm
   *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
   *Start Page=
   +SearchUrl
    *provider=
  ?Local Machine
   *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
   *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
   *Local Page=%SystemRoot%\system32\blank.htm
   *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
   *Start Page=about:blank
   *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
   *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
   +SearchUrl
 ?ShellServiceObjectDelayLoad (LM)
  *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
   `InprocServer32=%SystemRoot%\system32\SHELL32.dll
  *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
   `InprocServer32=%SystemRoot%\system32\SHELL32.dll
  *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
   `InprocServer32=%SystemRoot%\System32\webcheck.dll
  *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
   `InprocServer32=C:\WINDOWS\System32\stobject.dll
 ?Special NT Values
  ?Current User
   *Load=
   *Run=
   *Programs=com exe bat pif cmd
   *SHELL=
  ?Default User
   *Load=
   *Run=
   *Programs=com exe bat pif cmd
   *SHELL=
  ?Local Machine
   *AppInit_DLLs=
   *SHELL=Explorer.exe
   *Userinit=C:\WINDOWS\system32\userinit.exe,
?Files
 ?Autostart Folders
  ?Current User
   *C:\Documents and Settings\Daddio\Start Menu\Programs\Startup\DESKTOP.INI
   *C:\Documents and Settings\Daddio\Start Menu\Programs\Startup\SpywareGuard.lnk
  ?Default User
   *C:\Documents and Settings\Mark Blais\Start Menu\Programs\Startup\DESKTOP.INI
  ?Local Machine
   *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
   *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
   *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk
 ?INI-Files
  ?WIN.INI\[windows]
   *LOAD=
   *RUN=
  ?SYSTEM.INI\[boot]
   *SHELL=Explorer.exe
 ?Text Files
  *C:\boot.ini
   `[boot loader]
   `timeout=30
   `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
   `[operating systems]
   `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
  *C:\msdos.sys
  *C:\config.sys
  *C:\WINDOWS\System32\config.nt
   `dos=high, umb
   `device=%SystemRoot%\system32\himem.sys
   `files=40
  *C:\WINDOWS\System32\drivers\etc\hosts
   `127.0.0.1   localhost
 ?Program Files
  *C:\ntldr
  *C:\ntdetect.com
  *C:\io.sys
  *C:\WINDOWS\System32\win.com
  *C:\WINDOWS\explorer.exe
 ?%PATH% Companion Files
 +C:\WINDOWS\System32\notepad.exe
  *C:\WINDOWS\notepad.exe
 +C:\WINDOWS\System32\TASKMAN.EXE
  *C:\WINDOWS\TASKMAN.EXE
 +C:\WINDOWS\System32\WINHLP32.EXE
  *C:\WINDOWS\winhlp32.exe
?System/Drivers
 ?Running Processes
  +0=<idle>
  +4=<system>
  +1076=\SystemRoot\System32\smss.exe
  +1128=<unkown>
  +1156=\??\C:\WINDOWS\system32\winlogon.exe
  +1200=C:\WINDOWS\system32\services.exe
  +1212=C:\WINDOWS\system32\lsass.exe
  +1400=C:\WINDOWS\system32\svchost.exe
  +1600=C:\WINDOWS\System32\svchost.exe
  +1912=<unkown>
  +1948=<unkown>
  +1964=C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
  +372=C:\WINDOWS\system32\spoolsv.exe
  +472=<unkown>
  +484=C:\WINDOWS\System32\Ati2evxx.exe
  +548=C:\WINDOWS\system32\cisvc.exe
  +576=C:\Program Files\ewido\security suite\ewidoctrl.exe
  +660=c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  +908=C:\WINDOWS\System32\svchost.exe
  +936=<unkown>
  +1092=C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  +1972=c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  +1004=C:\WINDOWS\Explorer.EXE
  +1680=C:\WINDOWS\System32\carpserv.exe
  +1204=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  +124=C:\WINDOWS\System32\DSentry.exe
  +132=C:\Program Files\McAfee.com\Agent\mcagent.exe
  +160=C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  +180=C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
  +312=C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
  +328=C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
  +868=C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
  +756=C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
  +992=C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
  +1112=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
  +1956=C:\Program Files\iTunes\iTunesHelper.exe
  +1720=C:\Program Files\Messenger\msmsgs.exe
  +1740=C:\Program Files\iPod\bin\iPodService.exe
  +1580=C:\Program Files\Digital Line Detect\DLG.exe
  +2132=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
  +2140=C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
  +2404=C:\Program Files\SpywareGuard\sgmain.exe
  +2464=C:\Program Files\SpywareGuard\sgbhp.exe
  +3088=C:\WINDOWS\System32\wuauclt.exe
  +2820=C:\WINDOWS\system32\cidaemon.exe
  +2852=C:\WINDOWS\system32\cidaemon.exe
  +3636=C:\Documents and Settings\Daddio\Desktop\StartDreck\StartDreck.exe
 ?VMM32Files (LM)
 ?%System%\VMM32
 ?%System%\IOSUBSYS
?Application specific
 ?MS Office 97/8.0 STARTUP-PATH
  ?Current User
  ?Default User
  ?Local Machine
 ?ICQ NetDetect
  ?Current User
   ?Default User


-----------------------------------------------------------------------



HJT log


-------------------------------------------------------------------------------

 
Logfile of HijackThis v1.99.1
Scan saved at 10:52:24 AM, on 11/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Daddio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



Logged

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #14 on: November 18, 2005, 04:29:32 PM »
Hello Mike,

As you can see by the Kaspersky scan, there are still many, many entries for Revop.b.  Yes, Ewido and Webroot took out some, but not all. This is a good example of why, when HJT and other scans appear clean, we run an online scan when there are still issues. ;)

As you know, we normally take out all those files manually (roughly 177 Revop.b related .exe's).  In the interest of saving you time, a batch file has been created to take care of the Revop.b entries.

As there are no provisions for attachments in this forum, the .zip file has been uploaded to this site: http://dl14.rapidshare.de/files/7819371/241938684/delbat.zip  Scroll down that webpage and click on the 'Free' button.  That'll take you to another page--click on Download: delbat.zip  Save it to the desktop.

---------------------------

Reboot into Safe Mode.

---------------------------

Delete the following in bold text:

C:\WINDOWS\Downloaded Program Files\loader2.ocx
C:\WINDOWS\Downloaded Program Files\screload-yesup.exe 
C:\WINDOWS\SYSTEM32\setup_incred_9.exe <--delete ALL instances of this .exe if there are more than one listed.

If you are unable to see either of these:

C:\WINDOWS\Downloaded Program Files\loader2.ocx
C:\WINDOWS\Downloaded Program Files\screload-yesup.exe 

To make the file visible you need to unregister occache.dll.  Click Start>Run and copy/paste regsvr32 /u occache.dll into the box and click OK.

Then this file will become visible and can be deleted.

Once it's remove...you need to then register occache.dll again:Click Start>Run and copy/paste  regsvr32 occache.dll into the box and click OK.

---------------------------

Now, From within delbat.zip, doubleclick on delbat.cmd & allow it to run it's full course and follow the instructions at the end.

Reboot back into Normal Mode for Kaspersky scan and post the results here along with a new HijackThis log.

Logged

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #15 on: November 19, 2005, 11:43:51 AM »
Hi Mike,

Per our phone conversation:

Download Findlop by Metallica: http://metallica.geekstogo.com/findlop.zip  Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.

Copy the content of that file and past it here in your reply.

Make sure to run that under each user account and post all here.
Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #16 on: November 19, 2005, 12:15:41 PM »
Lisa,

It's not looking good. One of the error messages from MS beta came up in Daddio's account (the guy who hired me); It was not there when I first logged into his acoount today. But the other two (lop-like and the other ) do not show up in his account.

Here are the logs: The name of the account is above each log. First up, Jack Blais who got the lop-type error message when I logged in and did NOT block it AND there is an entry for that.

I am thinking of running Webroot in each account after your lop script in the 4 accounts I have not run it in but that one of the two MS beta errors come up in HIS account where Webroot was run makes me feel hopeless.

But FIRST (must be done anyway) I will install NAV 2006 from CD before anything and Remove Macafee because NAV when it gives a real time error has the threat name and full file path which might help. And NAV 2006 claims to have Spyware protection. NAV 2005 did not. Also I have been wondering if mcafee is causing the MS beta errors when it starts. Removing it will kill that possibillity.

Mike

-----------------------------------------------------------------------

Jack Blais HJT log


------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:45:54 AM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jack Blais\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kupukjxeucrynwypkmsmhryo.biz/4dtEjWv2FPby7lIKfPkiZiV7/IMFdb3i_bHamIHJRYtuLIOQBq7EYgP6CpOMXLyn.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-----------------------------------------



Daddio HJT log made before MS beta error came up and was blocked.

-------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:06:33 AM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daddio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-------------------------------------------------------------------------

Celia Wilson HJT log



-----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:41:00 AM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Documents and Settings\Celia Wilson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


--------------------------------------------------------



Elain Blais HJT log

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:43:49 AM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Elaine Blais\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wlhilfvguwmouhtb.com/enQp2nxASzDIquarnJy7G6zTq9D1u5scH87EO79cy56eNVVou4FLmjCcRBZY7LKR.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:3622
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


---------------------------------------------



Teresa Ann HJT log

----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:48:13 AM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Teresa Ann\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HotBot Desktop - {bbff9532-5340-11d8-b39a-000d5610942e} - C:\Program Files\Lycos\HotBot Desktop\Toolbar\ArgoToolbar1063.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
O4 - HKLM\..\Run: [Indexer] C:\Program Files\Lycos\HotBot Desktop\Toolbar\Indexer1063.exe
O4 - HKLM\..\Run: [InstallMgr] C:\Program Files\Lycos\HotBot Install Manager\InstallMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/hbdt/en_US/hotbot/hbdt.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe







Logged

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #17 on: November 19, 2005, 12:26:08 PM »
Ok Mike, I'll wait for the findlop.bat results.  There is no point in performing the fixes until I see those results.  I see nothing serious here...just lop.
Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #18 on: November 19, 2005, 01:35:51 PM »
Lisa,

OK, things seem to be changed since we ran Finlop in the Daddio account and installed NAV 2006 but not enough tests to be sure.

When I logged out of Daddio, the account where I ran all the previous scans (except the recent HJT logs) and into Jack Blais where I last saw all three MS beta errors (Block or Allow choice and I allowed Lop and Blocked the other two), this time no Blue Top-bar MS beta windows came up. Instead around 5 Green top (let you know we allowed this or blocked this - came up). Some were for NAV but one was chgd some URL from random string (but not the really long lop one) to something with yahoo in it. Now 5 is worse than three BUT they were all green top meaning no deciision by user is needed. SO THAT IS AN IMPROVEMENT I THINK. And some are related to the NAV starting up at log-in or first log in after NAV install, but not sure how many of the 5.

Then I logged back into Daddio and again lots of green top MS beta pop-up windows but no blue top ones. (But only ONE blue top one had been seen in that account, it is the Jack Blais log-in that is IMPROVED since findlop was run in the Daddio account.

Please let me know if I need to run findlop in the other three accounts by looking at the logs and also comparing them. Meanwhile I will log into the other three and report back here in forum if the blue top MS beta pop-up windows are gone there.

Regards-Mike

OOOPS, Big mistake Findlop does not save log in run folder, and I did not notice that. This is from C: which may mean it overwrote (without asking me) the first Daddio run and this is the Jack Blais run. I will have to rerun and post both or other account run. But this if probably from Jack Blais run but maybe from Daddio run

-----------------------------------------------------------------

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A70885C590CF3A3D.job'
[TRACE] Printing all job properties

  ApplicationName:    'c:\progra~1\lessse~1\debughtmname.exe'
  Parameters:         ''
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'Mark Blais'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            11/19/2005 13:00:00
  StartError:         0x80070534
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 1
    SystemRequired          = 0
    Hidden                  = 1
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Daily
    DaysInterval:    1
    StartDate:       06/04/2001
    EndDate:         00/00/0000
    StartTime:       00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'AA039E5191B01A4D.job'
[TRACE] Printing all job properties

  ApplicationName:    'c:\docume~1\elaine~1\applic~1\lessse~1\debughtmname.exe'
  Parameters:         ''
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'Elaine Blais'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            11/19/2005 13:00:00
  StartError:         SCHED_E_ACCOUNT_INFORMATION_NOT_SET
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 1
    SystemRequired          = 0
    Hidden                  = 1
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Daily
    DaysInterval:    1
    StartDate:       10/12/1998
    EndDate:         00/00/0000
    StartTime:       00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'AA3F008691B4B61E.job'
[TRACE] Printing all job properties

  ApplicationName:    'c:\docume~1\jackbl~1\applic~1\lessse~1\debughtmname.exe'
  Parameters:         ''
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'Jack Blais'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            11/19/2005 13:00:00
  StartError:         SCHED_E_ACCOUNT_INFORMATION_NOT_SET
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 1
    SystemRequired          = 0
    Hidden                  = 1
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Daily
    DaysInterval:    1
    StartDate:       02/25/1995
    EndDate:         00/00/0000
    StartTime:       00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'AB7B37489184ACD8.job'
[TRACE] Printing all job properties

  ApplicationName:    'c:\docume~1\celiaw~1\applic~1\lessse~1\debughtmname.exe'
  Parameters:         ''
  WorkingDirectory:   ''
  Comment:            ''
  Creator:            'Celia Wilson'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            11/19/2005 13:00:00
  StartError:         SCHED_E_ACCOUNT_INFORMATION_NOT_SET
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 1
    SystemRequired          = 0
    Hidden                  = 1
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Daily
    DaysInterval:    1
    StartDate:       02/19/2000
    EndDate:         00/00/0000
    StartTime:       00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'Norton AntiVirus - Run Full System Scan - Daddio.job'
[TRACE] Printing all job properties

  ApplicationName:    'C:\PROGRA~1\NORTON~1\Navw32.exe'
  Parameters:         '/TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
  WorkingDirectory:   ''
  Comment:            'This is a schedule scan task from Norton AntiVirus.'
  Creator:            'Daddio'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            11/25/2005 20:00:00
  StartError:         SCHED_S_TASK_HAS_NOT_RUN
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 1
    SystemRequired          = 0
    Hidden                  = 0
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Weekly
    WeeksInterval:   1
    DaysOfTheWeek:   .....F.
    StartDate:       11/19/2005
    EndDate:         00/00/0000
    StartTime:       20:00
    MinutesDuration: 0
    MinutesInterval: 0
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

  ApplicationName:    'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
  Parameters:         ''
  WorkingDirectory:   'C:\Program Files\Symantec\LiveUpdate'
  Comment:            'Symantec NetDetect'
  Creator:            'Daddio'
  Priority:           NORMAL
  MaxRunTime:         259200000 (3d  0:00:00)
  IdleWait:           10
  IdleDeadline:       60
  MostRecentRun:      00/00/0000  0:00:00
  NextRun:            11/19/2005 12:13:00
  StartError:         SCHED_E_ACCOUNT_INFORMATION_NOT_SET
  ExitCode:           0
  Status:             SCHED_S_TASK_HAS_NOT_RUN
  ScheduledWorkItem Flags:
    DeleteWhenDone          = 0
    Suspend                 = 0
    StartOnlyIfIdle         = 0
    KillOnIdleEnd           = 0
    RestartOnIdleResume     = 0
    DontStartIfOnBatteries  = 0
    KillIfGoingOnBatteries  = 0
    RunOnlyIfLoggedOn       = 1
    SystemRequired          = 0
    Hidden                  = 0
  TaskFlags:          0

  1 Trigger

  Trigger 0:
    Type:            Daily
    DaysInterval:    1
    StartDate:       11/19/2005
    EndDate:         00/00/0000
    StartTime:       11:43
    MinutesDuration: 1440
    MinutesInterval: 5
    Flags:
      HasEndDate      = 0
      KillAtDuration  = 0
      Disabled        = 0


Logged

Offline Lisa

  • Global Moderator
  • *
  • Posts: 1,828
  • Gender: Female
Re: For Lisa Only 11/16/05
« Reply #19 on: November 19, 2005, 02:17:58 PM »
Ok Mike, here we go:

Safe Mode Mike :)

Please print out or copy this page to Notepad.

  • Open Notepad and copy and paste the content of the code box in it:

    Code: [Select]
    C:\
    cd C:\Windows\Tasks
    attrib -r -s -h A70885C590CF3A3D.job
    attrib -r -s -h AA039E5191B01A4D.job
    attrib -r -s -h AA3F008691B4B61E.job
    attrib -r -s -h AB7B37489184ACD8.job

    del A70885C590CF3A3D.job
    del AA039E5191B01A4D.job
    del AA3F008691B4B61E.job
    del AB7B37489184ACD8.job

  • Save this Notepad file as? remjobs.bat , choose to save as *all files
    and place it on your desktop.
  • Doubleclick on remjobs.bat. A dos window will open and close again, this is normal.

    Delete the following folders:

    c:\progra~1\lessse~1
    c:\docume~1\elaine~1\applic~1
    c:\docume~1\jackbl~1\applic~1
    c:\docume~1\celiaw~1\applic~1


    Scan with HijackThis and 'fix' the following entries in the logs listed:

    Daddio acct

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kupukjxeucrynwypkmsmhryo.biz/4dtEjWv2FPby7lIKfPkiZiV7/IMFdb3i_bHamIHJRYtuLIOQBq7EYgP6CpOMXLyn.html

    Elaine

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wlhilfvguwmouhtb.com/enQp2nxASzDIquarnJy7G6zTq9D1u5scH87EO79cy56eNVVou4FLmjCcRBZY7LKR.php

    Teresa Ann[/b]

    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)

    Reboot into Normal Mode.? How are things now...still getting warnings from MSBeta?


    Mike, per our phone conversation:

    <edit>

    Delete THESE folders:

    c:\docume~1\elaine~1\applic~1\lessse~1
    c:\docume~1\jackbl~1\applic~1\lessse~1
    c:\docume~1\celiaw~1\applic~1\lessse~1









« Last Edit: November 19, 2005, 02:42:28 PM by Lisa »
Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #20 on: November 19, 2005, 03:33:44 PM »
Lisa,

No blue tops at the moment in any of the 5 accounts after following your last post instructions but you said it comes and goes. Only thing odd, is in some accounts (I think Daddio only) a green top says it changed the IE something from long random string to something Yahoo (but not changed the default Home page, something else). I have seen this twice. I am bothered that IE had to make this change; why did it get set that way to begin with?? Unfortunately I have not written it down exactly or even the IE attribute that got changed so nothing to go on.

Also one of the green tops looks like it is not NAV or Lycos related. It may have noticed that I repeatedly blocked the IE Web browser (blue top) and now it automatically blocks it (green top) except the wording was a bit different, liked not quite the same as IE Web browser so maybe it is unrelated to the above.

In any case it is green, not blue.

So that's it for this laptop. I'll run NAV full system scan now as it keeps popping up a warning that it is not run even once after a new NAV install every time a log-in is done; a real pain. And who knows, it might do something good.

Thanks for all your help. I'll contribute $25 by paypal to you later today or Sunday.

Thanks,
  Mike
Logged

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #21 on: November 19, 2005, 04:26:27 PM »
Lisa,

NAV  2006 full system scan only found one threat, Adware.lop, rated a high threat. It fixed it.

NAV 2006 full system scan now has a virus detected/fixed and Spyware detected/fixed section and it auto fixes everything it can; does not ask (or maybe only asks about certain things like cookies).

The new NAV AntiSpy product that may be in here was rated by PC World Labs just below Webroot but it said it was only included with NIS ($80), not with NAV ($50), a $30 difference. Also McAfee AntiSpy was rated high also but was said to be separately sold for $30 and not part of McAfee VirusScan. But the 2006 McAfee VirusScan says Spyware protectioin included so maybe both companies decided they had to include Spyware protection with their basic products.

Regards,
  Mike
Logged

Offline Kevin

  • Administrator
  • *
  • Posts: 10,616
  • Gender: Male
    • Kevin's Resource Center
Re: For Lisa Only 11/16/05
« Reply #22 on: November 19, 2005, 11:01:39 PM »
Hi Mike, how is everything running now?  Is this problem resolved so we can move it to the Resolved board?
Logged


Need help live? Visit the chatroom.

Was KRC helpful to you? If so, please recommend this forum to your family and friends...

If this forum have helped you, please make a donation to support it.

Offline mgross333

  • KRC Supporter
  • *
  • Posts: 596
Re: For Lisa Only 11/16/05
« Reply #23 on: November 20, 2005, 04:01:20 AM »
Kevin,

Move this to the Resolved section.

Mike Gross
Logged
Pages: [1]   Go Up
« previous next »