Hijackthis for friend

[lunchboxx]

yeah, hes in a reaaalllll crap shoot its taken like all his admin privileges so here it is and hes also getting alot of ad ware.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\kkypuwdA.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\qsdsregq.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\kkypuwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lwintrdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\DOCUME~1\JANEBA~1\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://usseek.com/qwickconnect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Runescape\Plugins\reg\VeohToolbar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] "C:\Program Files\McAfee.com\Agent\mcagent.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\retadpu1000106.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [kkypuwdA] C:\WINDOWS\kkypuwdA.exe
O4 - HKLM\..\Run: [{08-8A-A1-1E-ZN}] "C:\windows\system32\qsdsregq.exe" SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwintrdt.exe SKY009
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Veoh] "C:\Runescape\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinPop] "C:\Program Files\WinPop\winpop.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwintrdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147555793296
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kkypuwd.exe

Thanks

 

[Crimsonite]

First open Add/Remove Programs. Remove the following programs if they're showing:
WinPop
Matcash (or Matcash.com)
ZenoSearch
FunWebProducts/FunBuddyIcons
Nucleus
Net Agent



You have a Trojan-Downloader.Matcash and several adwares including a possible worm. Please carefully to follow the below steps in Safe Mode:

Ctrl+Alt+Del to bring up TaskManager. Find the Processes below and right-click on each one to "End Process Tree":
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\kkypuwdA.exe
C:\windows\system32\qsdsregq.exe
C:\Program Files\WinPop\winpop.exe
C:\WINDOWS\kkypuwd.exe
C:\WINDOWS\system32\lwintrdt.exe
C:\WINDOWS\system32\wscript.exe


Open HJT and close all other windows, then check the below entries and fix:
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\kkypuwdA.exe
C:\windows\system32\qsdsregq.exe
C:\Program Files\WinPop\winpop.exe
C:\WINDOWS\kkypuwd.exe
C:\WINDOWS\system32\lwintrdt.exe
C:\WINDOWS\system32\wscript.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://usseek.com/qwickconnect
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\retadpu1000106.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [kkypuwdA] C:\WINDOWS\kkypuwdA.exe
O4 - HKLM\..\Run: [{08-8A-A1-1E-ZN}] "C:\windows\system32\qsdsregq.exe" SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwintrdt.exe SKY009
O4 - HKCU\..\Run: [WinPop] "C:\Program Files\WinPop\winpop.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\lwintrdt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kkypuwd.exe
Close HJT.



Open this folder and look for ActiveX Control entries that contain the following URL's/strings and delete them by doing right mouse click, choose Delete:
http://ak.exe.imgfarm.com/
http://awbeta.net-nucleus.com/



Open Notepad and copy all of the following text in bold blue to it:

Files to delete:
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\kkypuwdA.exe
C:\windows\system32\qsdsregq.exe
C:\WINDOWS\system32\lwintrdt.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\SYSTEM32\dwdsregt.exe
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\kkypuwd.exe

Folders to delete:
C:\WINDOWS\IA\
C:\Program Files\WinPop\
C:\Program Files\Matcash\
C:\Program Files\Net Agent\
C:\Program Files\ZenoSearch\
C:\Program Files\Nucleus\
C:\Program Files\Awbeta\

Keep the notepad open. Now go here to download The Avenger http://swandog46.geekstogo.com/avenger.zip, save it to your desktop and then unzip to your desktop.

Instructions:
1)Double-Click Avenger's icon to open the program.
2)Under "Script file to execute", click "Input Script Manually".
3)Click on the Magnifying Glass icon which will open up a new window called "View/Edit Script".
4)Then Copy&Paste the text that you just copied to the notepad earlier into this window and click Done.
5)Now click on the Green Light to begin execution of the script.
6)Click "Yes" twice when prompted.


Now Avenger will automatically do the following:
*Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
*On reboot, it briefly opens a black command window on your desktop, this is normal.
*After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
*The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

When this is done, copy&paste the Avenger log here along with a fresh HJT log. Please make sure you copy paste the ENTIRE text body of the logs.

 

[nick_koolkid]

this is the person that he is talking about up there with that giant with the hijackthis and im having problems connecting to safe mode

 

[Crimsonite]

What happened when you tried to boot into Safe Mode? Can you describe the problems?

Try "Safe Mode without Networking".

 

[nick_koolkid]

it showed a bunch of codeing, then it just froze always at the same spot, i followed your directions without useing safe mode is this ok?

 

[nick_koolkid]

i frogot to say, thank you so much for the help, are there any keyloggers scattered in there?

 

[Crimsonite]

C:\WINDOWS\kkypuwdA.exe
C:\WINDOWS\kkypuwdW.exe

are keyloggers, but I doubt they were there to steal your passwords...still, just to be safe, you should change all of your passwords to something stronger.

I'm not sure how these malwares will react to those methods of removal in Normal Boot....But if you killed the Processes first then run Avenger using the script, it should be able to delete the files...I hope..


Here, do this now:
Control Panel-->Folder Options-->View, check "Show hidden files and folders" then untick "Hide Protected System files" and "Hide known file extensions".

Open the folder C:\Documents and Settings\Your user profile name\Local Settings\Temp

Delete everything in there. If by any chance, there are files that can't be deleted, please write them down the reply here. Also, did you get the logs for Avenger and HiJackThis? Please copy paste them here as well. Put each log in its own separate reply post.

 

[nick_koolkid]

ill try killing the processes then useing avenger now

 

[Crimsonite]

Btw, you should remove Yahoo Companion and all other Toolbars for now. There are some bad strings in your registry that seems like to be from Yahoo Companion but should not exist. So is the ZeroBar. So I'd suggest you remove those first for now. Later, after everything is cleaned and if you really need to use it, you can always download a fresh copy and install it then.

 

[nick_koolkid]

where might i find these, in delete/remove programs?

 

[Crimsonite]

Yes, Control Panel-->Add/Remove Programs.

 

[nick_koolkid]

any additional suggestions? anything else to delete?

 

[nick_koolkid]

and aswell i dont see any "zerobar" do you know where that would be located?

 

[Crimsonite]

Go to this link to download SUPERAntiSpyware: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Run updates then scan. Let it remove/quaranteen anything it finds.


Next, download DrWebCureIt: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
This one is already the latest version, so just run scan straight.


Go here to run Kaspersky Online Scan to check if there's anything else remaining: http://www.kaspersky.com/virusscanner

 

[nick_koolkid]

ive had superantispy for a while and ive been running it throughout today, thanks for the other 2 scans should i post an updated hjt log?

 

[nick_koolkid]

Logfile of HijackThis v1.99.1
Scan saved at 7:58:24 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\DOCUME~1\JANEBA~1\LOCALS~1\Temp\Rar$EX08.203\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Runescape\Plugins\reg\VeohToolbar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] "C:\Program Files\McAfee.com\Agent\mcagent.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Veoh] "C:\Runescape\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147555793296
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

this is an updated log

 

[Crimsonite]

Are you using this to search? If not, then delete it in HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/


Also, did you install this toolbar?
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Runescape\Plugins\reg\VeohToolbar.dll (file missing)


Complete the Kaspersky Online Scan to make sure there's nothing left.

 

[nick_koolkid]

yes i d/led those toolbars, and i am useing that mainpage

 

[Crimsonite]

If scan results returns clean, I would recommend the following two little programs for perma-protection:

Spyware/Adware: SpywareBlaster by JavaCool http://www.javacoolsoftware.com/sbdownload.html
Do not mistake "SpyBlaster" with this. SpyBlaster is a "Rogue-AntiSpyware" which is really a spyware.

Virus/Trojans/Worms: Active Virus Shield by Kaspersky for AOL http://www.activevirusshield.com/antivirus/freeav/index.adp?
Follow the steps on the site. You will have to enter a valid email in order to receive your free product serial number. This is rated #2 @99.1%(Detection strength).

 

[nick_koolkid]

my computers running extreamly slow now any idea why?