Please help me!...I am loosing my emails!!!

Status
Not open for further replies.
J

jomisos

New Member
Ok, so I am not very familiar with all this pc stuff but I do know that my PC is infected.
It started to run slow and pop ups everywhere. Then my homepage got hijacked and so forth...performance slowed down tremendously.
Now today almost one entire year of emails....GONE!!! I need those emails back!
I have run SUPERAntiSpyware and it found over 200 threats....one worm, several trojans, adware, etc. The worm is SASSER-E and one of the Trojans is Trojan.ConHook., just to give you an idea.

I just want to make sure I am not going to lose some files or pictures or more emails if I remove these threats! Please help, I have thousands of pics of my children and family on this comp- I CANNOT loose them!!!!!
What should I do? I really need step by step instructions- idiot proof. Thank you so much!
 
Although I haven't completed the scans and removals yet? Is it dangerous to post this log....regarding other users seeing whats on my pc??

Please forgive my naive questions but I really am a total dummie when it comes to this stuff.
 
Here you go. I really hope you can help me fix this disaster!! :-)


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:58:49 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn2\YTBSDK.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Karl Smith\Local Settings\Temporary Internet

Files\Content.IE5\HZ7ZD5S2\HiJackThis_v2[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3481a28c-d436-4826-b98d-08ba0de4cf6a} -

C:\WINDOWS\system32\mplhci.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} -

C:\WINDOWS\system32\tmpA6.tmp.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll
O2 - BHO: (no name) - {BA95AF77-43BB-481F-EC5C-3876133557C6} -

C:\WINDOWS\System32\qhen.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe"

/server
O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program

Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [{8434FAC0-0448-1033-0905-010713200001}] "C:\Program

Files\Common Files\{8434FAC0-0448-1033-0905-010713200001}\Update.exe"

te-110-12-0000213
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe

"C:\WINDOWS\wvwtro.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [qkmu] C:\PROGRA~1\COMMON~1\qkmu\qkmum.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Policies\Explorer\Run:

[{8434FAC0-0448-1033-0905-010713200001}] "C:\Program Files\Common

Files\{8434FAC0-0448-1033-0905-010713200001}\Update.exe"

te-110-12-0000213
O4 - HKUS\S-1-5-21-2690133624-2389969595-2291903390-1003\..\Run:

[MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2690133624-2389969595-2291903390-1003\..\Run:

[MoneyStartUp] C:\Program Files\Microsoft Money\System\Money

Startup.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate]

C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate]

C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -

file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/q

t505/us/win/QuickTimeInstaller.exe
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} -

http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mplhci - C:\WINDOWS\SYSTEM32\mplhci.dll
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner -

C:\WINDOWS\Nhksrv.exe

--
End of file - 8352 bytes
 
Yeah, there's a few problems here. That log is pretty hard to read, for the next one, could you get the formatting so the second half of entries appear on the same line, minimizing the notepad window should do it, thanks. :)

This'll take a few steps, and some scans, but we should be able to fix you up.

Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.
 
VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 12:17:06 AM 4/17/2007

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\mplhci.dll
C:\WINDOWS\system32\tmp7.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\mplhci.dll
C:\WINDOWS\SYSTEM32\mplhci.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
Logfile of HijackThis v1.99.1
Scan saved at 12:36:50 AM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn2\YTBSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Karl Smith\Local Settings\Temporary Internet Files\Content.IE5\I10J65Y5\HijackThis1991[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [{8434FAC0-0448-1033-0905-010713200001}] "C:\Program Files\Common Files\{8434FAC0-0448-1033-0905-010713200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvwtro.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [qkmu] C:\PROGRA~1\COMMON~1\qkmu\qkmum.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
 
That's a bonus, it took out a second problem as well! Run this scanner, it'll fix a few problems and then we'll get the rest manually (it takes a while to run).

Download, install and update AVG Antispyware.
http://downloads.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.0.50.exe

Boot into safemode (tap f8 on startup) and run a full scan. When the scan finishes, select "delete" as the action and save the report.
Restart to normal mode and post a new Hijackthis log, along with the AVG report.
 
i will do that! And I am not risking deleting any wanted files like pictures, emails, etc. when selecting automatic "fix" or "delete"??
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:03:21 AM 4/17/2007

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\Documents and Settings\Karl Smith\Local Settings\Temp\733c9Y.exe -> Adware.WinFetcher : Ignored.
C:\Program Files\Outlook Express\outl32c.exe -> Backdoor.Jeemp.c : Cleaned.
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1831\A0104797.exe -> Backdoor.Jeemp.c : Cleaned.
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1831\A0104787.exe -> Dialer.EgroupDial.j : Cleaned.
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1831\A0104789.exe -> Dialer.EgroupDial.j : Cleaned.
C:\counter.cab/counter.exe -> Dropper.Agent.az : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\thanks.exe -> Hijacker.Delf.ar : Cleaned.
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1831\A0104795.ini -> Logger.Tofger.ini : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@findwhat[2].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@gator[1].txt -> TrackingCookie.Gator : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Mike Amato\Local Settings\Temp\Cookies\mike amato@x10[2].txt -> TrackingCookie.X10 : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mike Amato\Cookies\mike amato@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end
 
Logfile of HijackThis v1.99.1
Scan saved at 2:21:22 AM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn2\YTBSDK.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike Amato\Local Settings\Temporary Internet Files\Content.IE5\I10J65Y5\HijackThis1991[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [{8434FAC0-0448-1033-0905-010713200001}] "C:\Program Files\Common Files\{8434FAC0-0448-1033-0905-010713200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [qkmu] C:\PROGRA~1\COMMON~1\qkmu\qkmum.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
 
Ok, almost there. Save these instructions in a new Notepad document for use in safemode later.

Go to add\remove programs and uninstall Ipwindows, if it's there.
Download Killbox and ATF cleaner.

http://download.bleepingcomputer.com/spyware/KillBox.exe
http://www.atribune.org/ccount/click.php?id=1

Boot into safemode.

Once in safemode, run atf cleaner, make sure all the boxes are checked.

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [{8434FAC0-0448-1033-0905-010713200001}] "C:\Program Files\Common Files\{8434FAC0-0448-1033-0905-010713200001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [qkmu] C:\PROGRA~1\COMMON~1\qkmu\qkmum.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

Close all open windows and browsers, and hit "Fix Checked".

Open Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\explorer\Explorer.exe
C:\Program Files\Common Files\{8434FAC0-0448-1033-0905-010713200001}\Update.exe
C:\Program Files\Common Files\qkmu\qkmum.exe
C:\Program Files\Ipwindows\ipwins.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Then reboot back to normal mode and post a new Hijackthis log.
 
Last edited:
i will do that in a little bit, but before I do I'd like to make you aware of a few things that occured when rebooting yesterday. One of the things AVG detected wasn't removed because it told me that it has to destroy an entire file that it's connected to (or something like that.lol) I didn't knwo which file that was, so I left it there, just incase it was something important.

Second, there is no IPwindows in add/remove, BUT whenever I tried to remove all the addware/spyware, two items are always there, came back after removal and now won't let me remove them anymore: OnDVD and Roll...those two things are not removable..I think they shouldn't be on my computer,what do you think?
 
Status
Not open for further replies.
Back
Top