I took a look at my parents PC which has NO firewall. I have installed temporarily zonealarm (it's free) can anyone take a look at the Hijack This log and let me know what I need to do? Logfile of HijackThis v1.99.1 Scan saved at 12:03:09, on 01/10/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE C:\WINNT\System32\Ati2evxx.exe C:\WINNT\RXhwb2ZyZWlnaHQgVXNlcg\command.exe C:\WINNT\system32\drivers\dcfssvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Network Monitor\netmon.exe C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\RUNDLL32.EXE C:\dfndrff_e19.exe C:\kybrdff_e19.exe C:\WINNT\v1201.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\{187B1DF0-03A2-2057-0122-02010925002c}\Update.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\hj\HijackThis.exe C:\WINNT\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar1.dll O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\Run: [vld21e6c] RUNDLL32.EXE w0507b4c.dll,n 00521e670000000a0507b4c O4 - HKLM\..\Run: [defender] C:\\dfndrff_e19.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e19.exe O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com O15 - Trusted Zone: http://memberservices.tesco.net O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37300.cab O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://www.x0.nl/install2/dialxs.ocx O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RXhwb2ZyZWlnaHQgVXNlcg\command.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
Hello wforster, There are many bad entries in your log. First, let's get rid of the hijacked internet. Go here and download [bold]LSPFix[/bold] to your desktop. You may not need it, but just in case. Go here and follow directions for [bold]Procedure 4[/bold]. If you looses internet connection after that, run LSPFix. Otherwise, you can delete it. Then, go here to download the trial version of Ewido Anti-spyware. Install and update. Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter). Open Ewdio and click "Scanner". Click "Complete System Scan". When it finishes scanning, set all items to "Quarantine". Click "Apply All Actions". Click "Save Report". Click "Save report as" and save it to the desktop. Post back with the Ewido report and a new HijackThis log.
Thanks Niobis. Couldnt run newdotnet as the laptop they have doesn't have a floppy drive or cd burner. Any other suggestions please? I have done everthing else though. I have tried running Hijackthis but it crashes every time I want to save the log. I can run it but it's only when I select save log file. Report scan from ewdio follows... --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 19:22:35 02/10/2006 + Scan result: C:\Documents and Settings\forsters\Local Settings\Temp\bw2.com -> Adware.AdURL : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\8D6RW5AN\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined). C:\WINNT\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined). C:\Program Files\Common Files\{187B1DF0-03A2-2057-0122-02010925002c}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined). C:\Program Files\MediaLoads\v1\ML.exe -> Adware.DownloadWare : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads Enhanced -> Adware.Downloadware : Cleaned with backup (quarantined). C:\WINNT\system\Update_Hosts.DLL -> Adware.IGetNet : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temp\temp.fr6D34 -> Adware.Look2Me : Cleaned with backup (quarantined). C:\FOUND.001\FILE0000.CHK -> Adware.Look2Me : Cleaned with backup (quarantined). C:\FOUND.001\FILE0003.CHK -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\MSC71.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\cemsnap.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\en64l1jq1.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\fp0u03d9e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\fp6s03j7e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\jt2607fse.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\mziqtz32.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\tWembed.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall4_80.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall4_88.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall4_94.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall5_40.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall5_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall5_64.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall6_10.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall6_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINNT\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\Program Files\Deskbar\deskbar.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\49I3CXIB\aws[1].zip/aw2.exe -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\aws32.exe/aw2.exe -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\WINNT\system32\mljghhi.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\WINNT\system32\bsxsys.dll -> Backdoor.IRCBot.wv : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\8L41YNGP\loader[1].exe -> Downloader.Adload.de : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\49I3CXIB\aws[1].zip/aw1.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\aw1.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\aws32.exe/aw1.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\01C56F49\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined). C:\Program Files\InetGet2\MTE3MTk6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\8D6RW5AN\ErrorSafeNewReleaseInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\KH670X6R\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temporary Internet Files\Content.IE5\W5SHURS9\SysProtectScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Local Settings\Temp\temp.fr9750 -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@112.2o7[3].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@ads15.hyperbanner[1].txt -> TrackingCookie.Hyperbanner : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\forsters\Cookies\forsters@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). ::Report end
sorry, worked it out....HJT log follows Logfile of HijackThis v1.99.1 Scan saved at 20:13:30, on 02/10/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\system32\drivers\dcfssvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\dfndrff_e19.exe C:\kybrdff_e19.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\hj\HijackThis.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINNT\system32\HPZipm12.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [defender] C:\\dfndrff_e19.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e19.exe O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com O15 - Trusted Zone: http://memberservices.tesco.net O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37300.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
Ahh, where did L2M come from? It wasn't in the log. Hopefully, that was all of it. http://www.atribune.org/downloads/l2mfix.exe *Save the file to your desktop and double click [bold]l2mfix.exe[/bold]. *Click the [bold]Install[/bold] button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. *Double click [bold]l2mfix.bat[/bold] and select option #[bold]1[/bold] for [bold]Run Find Log[/bold] by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
ok - here goes... L2MFIX find log 032106 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\i2060cdsef060.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tusss] "Asynchronous"=dword:00000001 "DllName"="C:\\WINNT\\system32\\tusss.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{6B4278BA-5A75-CCD7-644A-207793F372B3}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder" "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer" "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder" "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut" "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume" "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension" "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page" "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook" "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service" "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service" "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service" "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View" "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu" "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service" "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service" "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler" "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions" "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop" "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension" "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon" "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper" "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder" "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band" "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu" "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site" "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails" "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor" "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="ShimLayer Property Page" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{A58686ED-FC46-44C3-95C6-4A812AB776F1}"="NetFerret IE Toolbar" "{fe7634c0-f7b3-11cf-b9b4-444553540000}"="NetFerret" "{E0D79300-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79301-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79302-84BE-11CE-9641-444553540000}"="WinZip" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions" "{A2569D1F-4E06-43EC-9825-0088B471BE47}"="IntelliType Pro Wireless Control Panel Property Page" "{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}"="IntelliType Pro Scrolling Control Panel Property Page" "{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}"="IntelliType Pro Key Settings Control Panel Property Page" "{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page" "{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page" "{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page" "{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page" "{698EB18C-DFF8-4851-BA92-9885E57E229E}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}] @="" [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}\InprocServer32] @="C:\\WINNT\\system32\\aqtiveds.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ spmsg.dll Wed 13 Sep 2006 14:23:26 ..... 13,536 13.22 K dhdkndyl.dll Mon 2 Oct 2006 18:22:42 A.... 86,068 84.05 K netapi32.dll Fri 14 Jul 2006 14:55:00 A.... 309,520 302.27 K mmcndmgr.dll Tue 25 Jul 2006 6:08:32 A.... 840,976 821.27 K dnsapi.dll Thu 6 Jul 2006 12:45:32 A.... 137,488 134.27 K dnsrslvr.dll Thu 6 Jul 2006 12:45:32 A.... 96,528 94.27 K rasadhlp.dll Thu 6 Jul 2006 12:45:32 A.... 7,440 7.27 K urlmon.dll Wed 30 Aug 2006 20:42:56 A.... 461,824 451.00 K hlink.dll Fri 21 Jul 2006 16:08:54 A.... 72,704 71.00 K shell32.dll Thu 13 Jul 2006 8:09:24 A.... 2,362,640 2.25 M tusss.dll Sat 30 Sep 2006 15:39:00 ..SH. 577,588 564.05 K mjlocolb.dll Sat 30 Sep 2006 15:39:44 A.... 45,525 44.46 K yrqurnvv.dll Sat 30 Sep 2006 15:39:38 A.... 86,068 84.05 K vsutil.dll Wed 23 Aug 2006 23:38:04 A.... 440,312 429.99 K fskdrv.dll Sun 1 Oct 2006 10:56:20 ..SH. 23,648 23.09 K vsdata.dll Wed 23 Aug 2006 23:37:58 A.... 83,960 81.99 K vsregexp.dll Wed 23 Aug 2006 23:38:02 A.... 71,672 69.99 K vsmonapi.dll Wed 23 Aug 2006 23:38:00 A.... 104,440 101.99 K vspubapi.dll Wed 23 Aug 2006 23:38:02 A.... 268,280 261.99 K vsinit.dll Wed 23 Aug 2006 23:38:00 A.... 157,688 153.99 K zlcommdb.dll Wed 23 Aug 2006 23:38:06 A.... 71,672 69.99 K vsxml.dll Wed 23 Aug 2006 23:38:04 A.... 100,344 97.99 K vswmi.dll Wed 23 Aug 2006 23:38:04 A.... 59,384 57.99 K zlcomm.dll Wed 23 Aug 2006 23:38:06 A.... 83,960 81.99 K libeay~1.dll Wed 23 Aug 2006 23:37:52 A.... 796,584 777.91 K 25 items found: 25 files (2 H/S), 0 directories. Total of file sizes: 7,359,849 bytes 7.02 M Locate .tmp files: C:\WINNT\SYSTEM32\ mcrh.tmp Sun 1 Oct 2006 15:27:32 A.... 143 0.14 K 1 item found: 1 file, 0 directories. Total of file sizes: 143 bytes 0.14 K ********************************************************************************** Directory Listing of system files: Volume in drive C is COMPAQ Volume Serial Number is 187B-1DF0 Directory of C:\WINNT\System32 02/10/2006 22:11 675,652 sssut.ini 02/10/2006 18:22 683,067 sssut.bak2 01/10/2006 10:56 23,648 fskdrv.dll 30/09/2006 15:39 668,557 sssut.bak1 30/09/2006 15:39 577,588 tusss.dll 29/01/2002 23:05 <DIR> dllcache 5 File(s) 2,628,512 bytes 1 Dir(s) 2,493,243,392 bytes free
Yeah, there's more L2M. Plus some Vundo. Let's rid L2M first. Close any programs you have open. *From the [bold]l2mfix folder[/bold] on your desktop. *Double click l2mfix.bat and select option #[bold]2[/bold] for [bold]Run Fix[/bold] by typing 2 and then pressing enter, then press any key to reboot your computer. *After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Save the contents of that log and paste it back into this thread. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! [bold]Note[/bold] : Once the PC has restarted if a log does not appear or the icons didn't disappear, run the "second.bat" located inside the L2mfix folder. ----------- If no problems during L2Mfix, continue with VundoFix. Download VundoFix to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Post all three L2Mfix log, VundoFix log and new HijackThis log.
Kind of run out of time with their PC for now. They are leaving now and I wont see laptop for weeks. Have done the lm2fix and the new hijack log. Thanks for your help though. lm2fix log as follows:- L2mfix 032106 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINNT\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 148 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 192 'winlogon.exe' Killing PID 192 'winlogon.exe' Error 0x5 : Access is denied. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 860 'explorer.exe' Killing PID 860 'explorer.exe' Error 0x5 : Access is denied. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Desktop.ini sucessfully removed Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\i2060cdsef060.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tusss] "Asynchronous"=dword:00000001 "DllName"="C:\\WINNT\\system32\\tusss.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}] @="" [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}\InprocServer32] @="C:\\WINNT\\system32\\aqtiveds.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{698EB18C-DFF8-4851-BA92-9885E57E229E}"=- [-HKEY_CLASSES_ROOT\CLSID\{698EB18C-DFF8-4851-BA92-9885E57E229E}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] **************************************************************************** Desktop.ini Contents: **************************************************************************** [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/notibac.reg (deflated 74%) adding: backregs/shell.reg (deflated 75%) adding: backregs/698EB18C-DFF8-4851-BA92-9885E57E229E.reg (deflated 70%) HJT log follows:- Logfile of HijackThis v1.99.1 Scan saved at 23:06:11, on 02/10/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\system32\drivers\dcfssvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Real\Update_OB\realevent.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\dfndrff_e19.exe C:\kybrdff_e19.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\hj\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [defender] C:\\dfndrff_e19.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e19.exe O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com O15 - Trusted Zone: http://memberservices.tesco.net O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37300.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = HQ.expofreight.net O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
That's not good. There is still more that needs to be clean. I wouldn't recommend this computer be connected to the internet. Please bookmark this page and come back and post a new HijackThis when you can.
