Browser hijack + other adware

Unknown · November 2007

Hello,

While I was trying to clean someone else's computer, I realized I had never seen a pc so full of crap. I also noticed he is running an illegal version of windows xp, but that's not the point now.

Internet Explorer is clearly hijacked and sets makemesearch.com as the default homepage. There are also some other strange things:

- The Recycle Bin always seems to be empty, even if you have just deleted something
- I can not change the computer wallpaper, it remains blue
- The XP start menu list (on the left) is empty, and stays empty
- I tried installing Spyware Doctor, but it gave a registry error while installing, telling me it couldn't write the keys for PCTools and Spyware Doctor... Adware preventing the install of anti-adware software?!

I cleaned the computer from unnecessary files using Easycleaner. I included the logfile of HijackThis below this post. It would be great if you could help me out. I have no idea were to start solving this.

Thanks!

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:45 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ToniArts EasyComm] "C:\Program Files\ToniArts\EasyComm\EasyComm.exe" -s
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124313467514
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128450247374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?9d450ca2261f89af789aab38db4e10ddeb3bb451f7c233931d34f2380afe5a2a2bafdc292518e8ae6fc9e4ab0d46a6b080c1929fd407547f1cd9e9e4153daec7937382cda8:d075e8ea8f5d0dcdea43fc78836d4b32
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7265 bytes

nzwemstra · November 2007

Okay, I was finally able to install Spyware Doctor. I almost fainted when I saw the scan results. Is there away to get rid of this nice collection without having to buy the SD license?

- 'Adware,Tubby_Toolbar' (1 infection)
- 'Adware,2Search' (37 infections)
- 'Spyware,180search_Assistant' (13 infections)
- 'Application,Golden_Keylogger' (1 infection)
- 'Backdoor,Agent,EN' (1 infection)
- 'Trojan,Generic' (1 infection)
- 'Adware,WhenU_SaveNow' (31 infections)
- 'Application,Component,KMiNT21' (4 infections)
- 'Application,Elite_Keylogger' (3 infections)
- 'Adware,CoolWebSearch_XPlugin' (7 infections)

Yeah, I know...

I replaced the dots with comma's, because it's trying to parse them as links.

Trogan · November 2007

Hi nzwemstra,

There isn't much showing in the log, but lets do some other scans.

Please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

3. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.
4. Please post the following...

Uninstall list
Kaspersky report
New HijackThis log

nzwemstra · November 2007

Hi, thanks for your help!

I fixed the entries you specified using HijackThis, below you will find a new log, and under that the uninstall list. I am still trying to get this Kapersky WebScanner working on this computer, it looks like it has some trouble initializing in IE 6 (i.e. the activeX component doesn't succesfully download.) Any ideas?

---- NEW HIJACKTHIS LOG ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:42 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ToniArts EasyComm] "C:\Program Files\ToniArts\EasyComm\EasyComm.exe" -s
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124313467514
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128450247374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?9d450ca2261f89af789aab38db4e10ddeb3bb451f7c233931d34f2380afe5a2a2bafdc292518e8ae6fc9e4ab0d46a6b080c1929fd407547f1cd9e9e4153daec7937382cda8:d075e8ea8f5d0dcdea43fc78836d4b32
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7968 bytes

---- UNINSTALL LIST ----

Acoustica Effects Pack
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
ASUS Probe V2.18.00
avast! Antivirus
BearShare
Brother MFL-Pro Suite
DebugMode Wink
DFE-530TX Driver
Diagnostic Tool for the Microsoft VM
DivX Web Player
EasyCleaner
Enable S3 for USB Device
Game Maker 7.0
Google Toolbar for Firefox
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
HyperCam
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 4.14.1
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser and SDK
Mjuice Components
Mozilla Firefox (2.0.0.9)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NVIDIA nForce APU1 Utilities
NVIDIA Windows 2000/XP Display Drivers
OneCare Advisor (Windows Live Toolbar)
PaperPort
Popup Blocker (Windows Live Toolbar)
QuickTime
Realtek AC'97 Audio
RT2500 Wireless LAN Card
S3Display
ScanSpyware v3.8.0.4
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Shockwave
Smart Menus (Windows Live Toolbar)
Spyware Doctor 5.1
Tabbed Browsing (Windows Live Toolbar)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
USB 2.0 Setup program
VideoLAN VLC media player 0.8.6b
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Connect
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

---- END ----

nzwemstra · November 2007

Kapersky tells me I should have the IE security level set to medium and use an Administrator account. Both were true though...

Trogan · November 2007

Hi nzwemstra,

I'm not sure what is happening with Kaspersky. Leave it for now if it is not downloading the ActiveX.

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

ScanSpyware v3.8.0.4 <-- This is a rogue program. I strongly suggest removing it.

2. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 update3.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 6
- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

3. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...43fc78836d4b32

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

4. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Do not automatically generate reports
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode and post a new HijackThis log, along with the AVG Anti-Spyware log.

nzwemstra · November 2007

Hi,

I did the following:
- Removed ScanSpyware v3.8.0.4
- Removed previous Java installations
- Installed latest version of Java
- Fixed the HijackThis entries, static.zangocash.com was removed, the other three are still there...
- Downloaded AVG Anti-Spyware
- Installed it
- Changed the settings
- Attempted to boot in safe mood, system froze at the Mup.sys driver, so I did a scan in Normal Mode
- Saved the log files:

AVG Anti-Spyware - Scan Report

+ Created at: 10:10:39 AM 11/8/2007

+ Scan result:

HKLM\SOFTWARE\KMiNT21 -> Adware.DesktopSpyAgent : Cleaned with backup (quarantined).
HKLM\SOFTWARE\KMiNT21\GoldenKeylogger -> Adware.DesktopSpyAgent : Cleaned with backup (quarantined).
C:\Program Files\RKFree\rkfree.exe -> Not-A-Virus.Monitor.Win32.RevealerKeylogger.a : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.199:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.200:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.214:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.238:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.310:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.439:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.477:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Pap en Mam\Cookies\pap en [email]mam@msnportal.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@detelegraaf.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@hearstmagazines.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@microsoftwlmessengermkt.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@msnaccountservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@nike.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.98:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.99:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.206:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.207:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.208:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.209:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.210:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.211:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.178:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.94:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.95:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.27:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.28:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.29:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.93:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.94:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.95:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Pap en Mam\Cookies\pap en [email]mam@advertising[1].txt[/email] -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.30:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.6:C:\Documents and Settings\Pap en Mam\Application Data\Mozilla\Firefox\Profiles\1rm1hyyi.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Pap en Mam\Cookies\pap en [email]mam@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.300:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.108:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.197:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@bluestreak[3].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@bluestreak[3].txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.286:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.287:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.288:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.263:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.264:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.265:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.266:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.267:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.268:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.269:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.270:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.272:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.273:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.274:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.419:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.333:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.14:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.25:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.19:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.20:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.21:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.22:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.23:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.24:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.55:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.56:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.57:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.58:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.59:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.60:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Pap en Mam\Cookies\pap en [email]mam@adopt.euroclick[2].txt[/email] -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.234:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.235:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.71:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.72:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.122:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.177:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.360:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.153:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.154:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.155:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.156:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.368:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.369:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.370:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.462:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@ehg-reebok.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.363:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.452:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.453:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.88:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.90:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.313:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
:mozilla.66:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Itrack : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ilead.itrack[1].txt -> TrackingCookie.Itrack : Cleaned.
:mozilla.381:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.51:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.407:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.408:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.185:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.27:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.28:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.29:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ie.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.102:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.232:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.233:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.277:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.280:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.281:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.282:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.283:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.284:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.285:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.286:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.121:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.175:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.60:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.61:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.62:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ads.planetactive[1].txt -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ads.planetactive[3].txt -> TrackingCookie.Planetactive : Cleaned.
:mozilla.342:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.343:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.344:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.345:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
:mozilla.271:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.276:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.106:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.20:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.21:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.22:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.23:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.246:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.247:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.248:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.249:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.24:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.148:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.215:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.216:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.217:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.218:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.219:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.220:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.64:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.65:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.66:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.67:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.68:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.112:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.113:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.114:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.162:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.165:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.190:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.195:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.201:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.205:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.206:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.207:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.210:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.212:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.224:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.237:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.297:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.318:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.349:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.350:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.468:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.469:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.478:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.323:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.324:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.325:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.326:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.327:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.105:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.108:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.41:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.42:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.43:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.44:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.45:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.289:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.290:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.291:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.292:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.293:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.174:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.176:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.177:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.178:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.191:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.192:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.193:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.274:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.275:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.350:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.196:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.294:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.239:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.10:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.11:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.12:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.13:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.49:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Documents and Settings\Rkiller\Application Data\Mozilla\Firefox\Profiles\6j6zqa8f.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.6:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.7:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.8:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.9:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rkiller\Local Settings\Temp\Cookies\rkiller@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.92:C:\Documents and Settings\Rkiller_2\Application Data\Mozilla\Firefox\Profiles\zyfralk5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Rkiller_2\Cookies\rkiller_2@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:32 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ToniArts EasyComm] "C:\Program Files\ToniArts\EasyComm\EasyComm.exe" -s
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124313467514
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128450247374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7543 bytes

Trogan · November 2007

Hi nzwemstra,

Can you shut down/close Spyware Doctor temporarily as it preventing some HijackThis entries from removing. Make sure the icon is not showing in the system tray (by the clock).

Next, remove the following entries in HijackThis like you did previously...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

Please post another new HijackThis log. Also, let me know how the computer is running and if you have an active Firewall running.

nzwemstra · November 2007

Hi Trogan,

Thanks again for your support in this. I will retry deleting those entries as soon as I can get to that pc again, probably a bit later tonight. Just wanted to describe the situation the computer is in as you requested.

- It runs horribly slow - it has a 1.99 Ghz processor and 256 MB of RAM. The low RAM shouldn't really be a problem, since they don't use huge programs and also probably only one at a time, 2 at the most.
- The internet connection on that pc sucks, takes forever to load pages, and there's a remarkable big difference between the loading speed of FF and MSIE. Firefox is sufficiently fast, just like the other pc's on that network that connect through the same router (I think the router also has a firewall).
- Everything related to the desktop seems to be creating a problem (e.g. Recycle Bin, My Computer/Documents icons not showing, unable to change wallpaper, start menu empty etc.)
- Some programs just won't launch, no matter how long you wait or how many times you try to launch them (e.g. Adobe Reader, Printer utility software)
- It has trouble with saving settings (e.g. homepage in MSIE is now msn.com (thanks, the makemesearch.com is gone), but when I change it, close the properties and check again, it's msn.com just like before. Other things include the default printing preferences)
- Cannot print from the browsers, they copy the pages and paste it into word or something to print the contents.
- The WGA notifications are incredibly annoying. I asked them where they had gotten their XP OS, and after a long thought they concluded that it was probably a computer guy in Indonesia where they used to live that installed the pirated version after the computer once crashed and they took it to him.

That's all I can think of right now, will perform the HackThis scan in a while, and also check for some other weird things I notice.

nzwemstra · November 2007

Hi Trogan,

I tried removing those entries using HijackThis a couple times, yet they stay in the list (I uninstalled SpywareDoctor before I scanned). Below you will find another logfile. In my previous post I listed several problems I could remember encountering while using that computer. Below are a few more:

- Windows XP loading screen on startup show for about 10 minutes, while the loading bar continues to move from left to right
- It does a disk check on every startup. I checked scheduled tasks, but it doesn't show this

After your last post I downloaded the Comodo firewall for extra protection, that is up and running now. What about that Backdoor Trojan, is it extremely harmful?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:51 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ToniArts EasyComm] "C:\Program Files\ToniArts\EasyComm\EasyComm.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124313467514
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128450247374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7223 bytes

Trogan · November 2007

Hi nzwemstra,

Can you uninstall AVG Anti-Spyware and try once more to remove those HijackThis entries.

The problems you described, are they recent? I'm thinking that the illegal OS may have something to do with it.

nzwemstra · November 2007

Hi Trogan,

I removed AVG and disabled Avast quickly, and then again tried to remove those entries. Unfortunately no succes.

Trogan · November 2007

Hi,

Please reinstall Avast. An Anti-Virus program, such as Avast, would not prevent those files from being removed. However, a Anti-Spyware program, such as Spybot or AVG Anti-Spyware would. However, those HijackThis entries are still there, even though they are harmless.

Lets try this:
Please download Deckard's System Scanner (DSS) to your desktop.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please also copy the contents of Extra.txt to your post as well.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What DSS will do:
create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

nzwemstra · November 2007

Hi Trogan,

Thanks again. I followed all the steps, but I am not sure where to post it. Where is this HijackThis Log Help Forum? For now, I'll just post it here.

main.txt

Deckard's System Scanner v20071014.68
Run by Rkiller on 2007-11-14 22:18:04
Computer is in Normal Mode.

-- System Restore

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
63: 2007-11-14 21:18:14 UTC - RP1058 - Deckard's System Scanner Restore Point
62: 2007-11-14 11:00:24 UTC - RP1057 - Software Distribution Service 3.0
61: 2007-11-13 16:30:32 UTC - RP1056 - System Checkpoint
60: 2007-11-12 16:01:54 UTC - RP1055 - System Checkpoint
59: 2007-11-11 12:26:15 UTC - RP1054 - System Checkpoint

-- First Restore Point --
1: 2007-09-11 19:04:30 UTC - RP996 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Rkiller.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:18 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rkiller\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rkiller.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ToniArts EasyComm] "C:\Program Files\ToniArts\EasyComm\EasyComm.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124313467514
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128450247374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6152 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20071107-133820-103 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071107-133820-584 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
backup-20071107-133820-363 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071107-133820-758 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071107-133820-573 R3 - Default URLSearchHook is missing
backup-20071107-133820-395 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071108-085120-642 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071108-085120-435 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071108-085120-214 R3 - Default URLSearchHook is missing
backup-20071108-085311-669 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071108-085311-587 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071108-085311-366 R3 - Default URLSearchHook is missing
backup-20071108-085311-762 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?9d450ca2261f89af789aab38db4e10ddeb3bb451f7c233931d34f2380afe5a2a2bafdc292518e8ae6fc9e4ab0d46a6b080c1929fd407547f1cd9e9e4153daec7937382cda8:d075e8ea8f5d0dcdea43fc78836d4b32
backup-20071108-194504-235 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071108-194504-870 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071108-194504-650 R3 - Default URLSearchHook is missing
backup-20071108-195248-440 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071108-195248-918 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071108-195248-698 R3 - Default URLSearchHook is missing
backup-20071108-200136-487 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071108-200136-372 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071108-200136-152 R3 - Default URLSearchHook is missing
backup-20071109-221454-474 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071109-221454-860 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071109-221454-639 R3 - Default URLSearchHook is missing
backup-20071109-221520-468 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071109-221520-385 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071109-221520-164 R3 - Default URLSearchHook is missing

-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.0.0.5) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.0.0.6>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - c:\windows\system32\drivers\nwlnkipx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkNb (NWLink NetBIOS) - c:\windows\system32\drivers\nwlnknb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkSpx (NWLink SPX/SPXII Protocol) - c:\windows\system32\drivers\nwlnkspx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 BrScnUsb (Brother USB Still Image driver) - c:\windows\system32\drivers\brscnusb.sys <Not Verified; Brother Industries Ltd.; Brother MFC Scanner>
R3 NWRDR (NetWare Rdr) - c:\windows\system32\drivers\nwrdr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\windows\system32\drivers\rootmdm.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RT2500 (RT2500 Wireless Driver) - c:\windows\system32\drivers\rt2500.sys <Not Verified; Ralink Technology Inc.; RT2500 802.11g Wireless Adapters>

S2 ousbehci (%OWC_USBEHCD.DeviceDesc%) - c:\windows\system32\drivers\ousbehci.sys <Not Verified; OrangeWare Corporation; USB 2.0 Enhanced Host Controller Driver>
S2 USBBC (USB Bridge Cable (Windows 2000)) - c:\windows\system32\usbbc20.sys
S3 atirage - c:\windows\system32\drivers\atiragem.sys <Not Verified; ATI Technologies Inc.; Microsoft® Windows® Operating System>
S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 FETNDIS (D-Link DFE-530TX PCI Fast Ethernet Adapter Driver) - c:\windows\system32\drivers\dlkfet5b.sys <Not Verified; D-Link; D-Link DFE-530TX PCI Fast Ethernet Adapter>
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 hidgame (Microsoft Hid to Joystick Port Enabler) - c:\windows\system32\drivers\hidgame.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 mp20 (Pinnacle MP20 Device) - c:\windows\system32\drivers\mp20.sys (file missing)
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 oUltraf - c:\documents and settings\rkiller\local settings\temp\oultraf.sys
S3 rtl8029 (Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8029.sys (file missing)
S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing)
S3 S3Psddr - c:\windows\system32\drivers\s3gnbm.sys <Not Verified; S3 Graphics, Inc.; S3 ProSavage & Twister Miniport Driver>
S3 SISNIC (SiS PCI Fast Ethernet Adapter Driver) - c:\windows\system32\drivers\sisnic.sys <Not Verified; SiS Corporation; NDIS 5.1 NIC Driver>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Iprip (RIP Listener) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NWCWorkstation (Client Service for NetWare) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwSapAgent (SAP Agent) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Device Manager: Disabled

No disabled devices found.

-- Scheduled Tasks

2007-11-14 22:15:02 262 --a

C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2007-09-27 21:09:02 244 --a

C:\WINDOWS\Tasks\Solitaire.job
2005-08-15 04:55:44 420 --a

C:\WINDOWS\Tasks\WinampSwitch settings.job

-- Files created between 2007-10-14 and 2007-11-14

2007-11-14 06:36:56 0 d--hs---- C:\FOUND.098
2007-11-08 19:53:55 0 d

C:\Program Files\Comodo
2007-11-08 08:47:39 0 d

C:\Program Files\Common Files\Java
2007-11-04 12:38:16 0 d

C:\Program Files\HyperCam
2007-10-28 12:23:36 0 d--hs---- C:\FOUND.097
2007-10-19 20:15:13 0 d

C:\WINDOWS\Application Data
2007-10-16 08:26:12 0 d

C:\Program Files\LimeWire

-- Find3M Report

2007-11-14 12:07:06 12 --a

C:\WINDOWS\bthservsdp.dat
2007-10-20 18:54:54 0 d

C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia
2007-10-19 16:21:12 0 --a

C:\WINDOWS\system32\Biport
2007-08-18 16:32:18 50 --a

C:\WINDOWS\system32\bridf05a.dat

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2003 03:09 AM C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 02:50 AM]
"Net-It Launcher"="C:\WINDOWS\System32\NILaunch.exe" [02/05/1998 12:16 PM]
"S3TRAY2"="S3tray2.exe" [12/16/2001 11:09 PM C:\WINDOWS\system32\S3tray2.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [06/17/2002 11:25 PM C:\WINDOWS\system32\NVATray.exe]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [08/30/2002 02:06 PM C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/07/2006 06:39 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 02:56 PM C:\WINDOWS\system32\bthprops.cpl]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [03/18/2005 12:40 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [03/18/2005 12:53 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [01/26/2005 06:02 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [05/17/2005 05:42 PM]
"ToniArts EasyComm"="C:\Program Files\ToniArts\EasyComm\EasyComm.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2007-11-14 22:21:12

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(TM) XP 2400+
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 255.35 MiB / 79.1 MiB
Pagefile Memory (total/avail): 747.95 MiB / 574.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.37 MiB

A: is Removable (FAT)
C: is Fixed (FAT32) - 28.51 GiB total, 13.24 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 9.23 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.29 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 28.52 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 9.77 GiB - D:

\\.\PHYSICALDRIVE1 - Brother MFC-215C USB Device

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Games\\Supreme\\Supreme.exe"="C:\\Games\\Supreme\\Supreme.exe:*:Disabled:Supreme"
"C:\\Program Files\\EA Games\\Need For Speed poursuite infernale 2\\NFSHP2.exe"="C:\\Program Files\\EA Games\\Need For Speed poursuite infernale 2\\NFSHP2.exe:*:Enabled:NFSHP2"
"C:\\Program Files\\Activision Value\\THPS2\\THawk2.exe"="C:\\Program Files\\Activision Value\\THPS2\\THawk2.exe:*:Enabled:THawk2"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Mijn documenten\\My Videos\\Roan Films\\BearShare.exe"="D:\\Mijn documenten\\My Videos\\Roan Films\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"C:\\Program Files\\Age of Empires\\age2_x1.exe"="C:\\Program Files\\Age of Empires\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rkiller\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rkiller
LOGONSERVER=\\DESKTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERDOMAIN=DESKTOP
USERNAME=Rkiller
USERPROFILE=C:\Documents and Settings\Rkiller
windir=C:\WINDOWS

-- User Profiles

Rkiller (admin)
Rkiller_2 (admin)
Pap en Mam
Administrator (admin)

-- Add/Remove Programs

--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acoustica Effects Pack --> C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~2\INSTALL.LOG
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ASUS Probe V2.18.00 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Probe\probunis.dll"
BearShare --> D:\Mijn documenten\My Videos\Roan Films\UninstallSurvey.exe D:\MIJNDO~1\MYVIDE~1\ROANFI~1\UNWISE.EXE D:\MIJNDO~1\MYVIDE~1\ROANFI~1\INSTALL.LOG
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB9AC6BF-71B6-42A4-9689-C17D9F44E79A}\Setup.exe" -l0x13 Brunin03.dllBrunin03.dll
DFE-530TX Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F2BB456F-C07B-4EDE-975F-4D6DED19750A}
Diagnostic Tool for the Microsoft VM --> MsiExec.exe /I{86844E31-42CC-49C8-B647-7213009F4719}
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HyperCam --> "C:\Program Files\HyperCam\Uninstall.exe"
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.1 --> "C:\Program Files\LimeWire\uninstall.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{ECDA9BD9-A54E-462A-8191-A2B569D9AB34}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mjuice Components --> "C:\Program Files\MJuice Media Player\MJUninst.exe"
Mozilla Firefox (2.0.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA nForce APU1 Utilities --> C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection Remove_NVAUtilsNT 132 C:\WINDOWS\INF\NVAUtlml.inf
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RT2500 Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAA66A0D-E610-40B8-9D51-C1854285773A}\Setup.exe" -l0x9
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{95FC661A-A0C5-4B18-92CE-90347DA79CC9}
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{1707BF02-0F5C-4A6C-8F17-053BB73E443F}
USB 2.0 Setup program --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\VIA Technologies, INC.\USB 2.0 Setup program\Uninst.isu"
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VLC Media Player\uninstall.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{3727B920-F5A3-46A4-AC02-94F421A039C7}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
Windows Media Connect --> msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect --> MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

-- Application Event Log

Event Record #/Type109 / Error
Event Submitted/Written: 11/12/2007 06:37:39 AM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.1.178.045b12d6almcdata.dll8.1.178.045b12b4b00001bab2

Event Record #/Type107 / Error
Event Submitted/Written: 11/11/2007 05:13:05 PM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.1.178.045b12d6antdll.dll5.1.2600.2180411096b4000010f29

Event Record #/Type106 / Error
Event Submitted/Written: 11/11/2007 05:05:38 PM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.1.178.045b12d6antdll.dll5.1.2600.2180411096b4000010f29

Event Record #/Type105 / Error
Event Submitted/Written: 11/11/2007 05:00:24 PM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application winlogon.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Error in creating result PEAP-TLV in response to received PEAP-TLV (winlogon.exe!ld!)

Event Record #/Type103 / Error
Event Submitted/Written: 11/11/2007 00:49:15 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [!ws!]

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type21731 / Error
Event Submitted/Written: 11/14/2007 10:20:38 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type21730 / Error
Event Submitted/Written: 11/14/2007 10:18:26 PM / 11/14/2007 10:18:36 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type21716 / Error
Event Submitted/Written: 11/14/2007 00:08:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The USB Bridge Cable (Windows 2000) service failed to start due to the following error:
%%1058

Event Record #/Type21715 / Error
Event Submitted/Written: 11/14/2007 00:08:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The %OWC_USBEHCD.DeviceDesc% service failed to start due to the following error:
%%1058

Event Record #/Type21713 / Warning
Event Submitted/Written: 11/14/2007 00:08:44 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000244AC342B. The IP address being used is 169.254.232.177.

-- End of Deckard's System Scanner: finished at 2007-11-14 22:21:12

Trogan · November 2007

Hi,

The DSS log is clean. I would like you to run one more scan please.

Please download ComboFix to your Desktop.

Double click on Combofix.exe & follow the prompts.
When the scan has finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

nzwemstra · November 2007

Trogan,

Below you will find the combofix log.

ComboFix 07-11-08.1 - Rkiller 11/16/2007 15:23:41.2 - FAT32x86
Running from: C:\Documents and Settings\Rkiller\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

.
C:\DOCUME~1\Rkiller\APPLIC~1\install.dat
C:\DOCUME~1\Rkiller\Desktop\internet.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

\LEGACY_IPRIP

\LEGACY_NWSAPAGENT

\Iprip

\NwSapAgent

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 08:17

d

w C:\Documents and Settings\Pap en Mam\Application Data\Grisoft
2007-11-08 20:56

d

w C:\Documents and Settings\Rkiller_2\Application Data\Comodo
2007-11-08 19:02

d

w C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-08 19:02

d

w C:\DOCUME~1\Rkiller\APPLIC~1\Comodo
2007-11-08 17:15

d

w C:\Documents and Settings\Rkiller_2\Application Data\Grisoft
2007-11-08 07:54

d

w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-08 07:47

d

w C:\Program Files\Common Files\Java
2007-11-06 20:00

d

w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 11:38

d

w C:\Program Files\HyperCam
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-16 07:26

d

w C:\Program Files\LimeWire
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-22 13:55 96,256

w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:55 665,600

w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:55 617,984

w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:55 55,808

w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:55 532,480

w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:55 474,112

w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:55 449,024

w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:55 39,424

w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:55 357,888

w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:55 3,064,832

w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:55 251,904

w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:55 205,824

w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:55 16,384

w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:55 151,040

w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:55 146,432

w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:55 1,498,112

w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:55 1,054,208

w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:55 1,022,976

w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 11:19 18,432

w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 07:15 683,520

w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-10-04 16:32 10,340 ---ha-w C:\Documents and Settings\All Users\Application Data\index0.dat
2002-08-20 19:01 266 --sh--w C:\Program Files\desktop.ini
2002-08-20 19:01 11,079 ---h--w C:\Program Files\folder.htt
2001-09-28 16:00 164,864

w C:\Program Files\UNWISE.EXE
1994-11-18 00:00 51,712 ----a-w C:\Program Files\SKEOLE2P.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2003 03:09 AM C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 02:50 AM]
"Net-It Launcher"="C:\WINDOWS\System32\NILaunch.exe" [02/05/1998 12:16 PM]
"S3TRAY2"="S3tray2.exe" [12/16/2001 11:09 PM C:\WINDOWS\system32\S3tray2.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [06/17/2002 11:25 PM C:\WINDOWS\system32\NVATray.exe]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [08/30/2002 02:06 PM C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/07/2006 06:39 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 02:56 PM C:\WINDOWS\system32\bthprops.cpl]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [03/18/2005 12:40 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [03/18/2005 12:53 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [01/26/2005 06:02 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [05/17/2005 05:42 PM]
"ToniArts EasyComm"="C:\Program Files\ToniArts\EasyComm\EasyComm.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 12:06 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

.
Contents of the 'Scheduled Tasks' folder
"2005-08-15 03:55:44 C:\WINDOWS\Tasks\WinampSwitch settings.job"
- C:\WINDOWS\system32\rundll32.exe
"2007-09-27 20:09:02 C:\WINDOWS\Tasks\Solitaire.job"
- C:\WINDOWS\system32\sol.exe
"2007-11-16 13:15:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 15:27:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 11/16/2007 15:28:19
.
--- E O F ---

Trogan · November 2007

Hi nzwemstra,

Nothing malicious in that log either.

Can you try once more to remove the following entries in HijackThis please

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

Post a new HijackThis afterwards please.

Also, let me know if Safe Mode is working.

nzwemstra · November 2007

New HijackThis log, entries are still there. Maybe a WGA thing?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:53 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ToniArts EasyComm] "C:\Program Files\ToniArts\EasyComm\EasyComm.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124313467514
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128450247374
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6756 bytes

Trogan · November 2007

Hi,

Still unsure what's causing the entries to stay, however, the logs are clean. I wouldn't worry about them too much. How is the computer in general?

nzwemstra · November 2007

Hi Trogan,

Strange things keep happening to that computer. For example, since yesterday the XP welcome screen disappeared and the standard old interface (username + password dialog box) is now the method to log in. I checked the control panel, and I can turn it on or off just as many times as I want, nothing happens. It looks like somebody is taking over that pc slowly, step by step...

Maybe the Microsoft WGA disables a Windows function after a set time period if you don't get the genuine software. The strangest thing is that on another user account on that pc, the user is still able to change background etc. So maybe a hacker is slowly taking over - although I wouldn't know what's so interesting about that pc...

Trogan · November 2007

The PC is clean of malware, so it would be unlikely that someone is "hacking" into it. I don't have an answer regarding the other problem, sorry.

nzwemstra · November 2007

Okay, thank you so much for your help! The worst thing was the makemesearch page, which is not there anymore. I'll just recommend buying a new copy of windows...

Cheers!

Trogan · November 2007

You're welcome!

Browser hijack + other adware

Comments