Zlob: Virus or spyware?

I have recently been infected by a Zlob virus and neither McAffe virusscan or spybot search and destroy can get rid of it. I have visited other forums just to look at what others have done about it and it is fixable with "Hijack this software" but I couldnt make sense of what they were doing. I thought it would be best to have a tech guide me through this in language I can understand. What the virus is doing is telling me I have been infected with a virus and that I should download some shady virus protection software. So every time I click to log onto the internet, instead of going to my MSN homepage it goes to an address called syssecuritysite.com and gives me a false microsoft internet explorer warning. Are you familiar with this?

 

You should get a better response in the Security Forum. Click on the red triangle at the top right of your post and ask a Moderator to move this to Security.

 

Click here to download HJTsetup.exe:
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
=============================

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

 

Logfile of HijackThis v1.99.1
Scan saved at 7:55:32 PM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/app_cc/bin/cursorcafe.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - C:\WINDOWS\system32\vpxnk.dll (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

 

SmitFraudFix v2.69

Scan done at 20:15:54.51, Mon 07/10/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\ld???.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
===================

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.

 

Sory I have been away for a while. Heres the info you wanted-----


SmitFraudFix v2.69

Scan done at 11:25:01.10, Sat 07/15/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\vpxnk.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\ld???.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

1:25 PM: Removal process completed. Elapsed time 00:04:30
1:23 PM: Quarantining All Traces: zedo cookie
1:23 PM: Quarantining All Traces: adserver cookie
1:23 PM: Quarantining All Traces: burstbeacon cookie
1:23 PM: Quarantining All Traces: tripod cookie
1:23 PM: Quarantining All Traces: tribalfusion cookie
1:23 PM: Quarantining All Traces: trafficmp cookie
1:23 PM: Quarantining All Traces: tacoda cookie
1:23 PM: Quarantining All Traces: statcounter cookie
1:23 PM: Quarantining All Traces: realmedia cookie
1:23 PM: Quarantining All Traces: questionmarket cookie
1:23 PM: Quarantining All Traces: partypoker cookie
1:23 PM: Quarantining All Traces: mediaplex cookie
1:23 PM: Quarantining All Traces: fastclick cookie
1:23 PM: Quarantining All Traces: sextracker cookie
1:23 PM: Quarantining All Traces: hitslink cookie
1:23 PM: Quarantining All Traces: ccbill cookie
1:23 PM: Quarantining All Traces: casalemedia cookie
1:23 PM: Quarantining All Traces: burstnet cookie
1:23 PM: Quarantining All Traces: bluestreak cookie
1:23 PM: Quarantining All Traces: atlas dmt cookie
1:23 PM: Quarantining All Traces: ask cookie
1:23 PM: Quarantining All Traces: advertising cookie
1:23 PM: Quarantining All Traces: adtech cookie
1:23 PM: Quarantining All Traces: pointroll cookie
1:23 PM: Quarantining All Traces: addynamix cookie
1:23 PM: Quarantining All Traces: adrevolver cookie
1:23 PM: Quarantining All Traces: specificclick.com cookie
1:23 PM: Quarantining All Traces: yieldmanager cookie
1:23 PM: Quarantining All Traces: about cookie
1:23 PM: Quarantining All Traces: websponsors cookie
1:23 PM: Quarantining All Traces: 2o7.net cookie
1:23 PM: Quarantining All Traces: security toolbar
1:23 PM: Quarantining All Traces: networkessentials
1:23 PM: Quarantining All Traces: instafinder
1:23 PM: Quarantining All Traces: topsearch
1:22 PM: Quarantining All Traces: rx toolbar
1:22 PM: Quarantining All Traces: bullguard popup ad
1:22 PM: Quarantining All Traces: mediapipe
1:22 PM: Quarantining All Traces: starware cursorcafe
1:22 PM: Quarantining All Traces: comet systems
1:22 PM: Quarantining All Traces: altnet
1:22 PM: Quarantining All Traces: starware toolbar
1:22 PM: Quarantining All Traces: p2pnetwork
1:21 PM: Quarantining All Traces: security2k hijacker
1:21 PM: Removal process initiated
1:16 PM: Traces Found: 187
1:16 PM: Full Sweep has completed. Elapsed time 00:18:56
1:16 PM: File Sweep Complete, Elapsed Time: 00:15:24
1:13 PM: C:\WINDOWS\Temp\Altnet\pmexe.cab (ID = 49861)
1:13 PM: C:\WINDOWS\Temp\Altnet\dmfiles.cab (ID = 49865)
1:13 PM: Warning: Could not find a spy with ID "0"
1:13 PM: C:\WINDOWS\Temp\Altnet\pmfiles.cab (ID = 49859)
1:12 PM: Warning: Failed to access drive I:
1:12 PM: Warning: Failed to access drive H:
1:12 PM: Warning: Failed to access drive G:
1:12 PM: Warning: Failed to access drive F:
1:12 PM: Warning: Failed to access drive E:
1:10 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP196\A0010960.bat (ID = 202688)
1:10 PM: Found Adware: security toolbar
1:10 PM: C:\Program Files\DownloadManager\DownloadManager.ini (ID = 162695)
1:10 PM: c:\windows\downloaded program files\cursorcafe.inf (ID = 137348)
1:09 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\system32\hp100.tmp.vir". "c:\windows\system32\hp100.tmp.vir": File not found
1:08 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP194\A0010747.exe (ID = 63654)
1:08 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007375.dll (ID = 165630)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007395.dll (ID = 243450)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007394.dll (ID = 243437)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007328.exe (ID = 49862)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007334.exe (ID = 277546)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007345.dll (ID = 137347)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007346.dll (ID = 137343)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007326.dll (ID = 243437)
1:07 PM: C:\WINDOWS\Temp\BullGuard\bulldownload.exe (ID = 52017)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007331.Manifest (ID = 49859)
1:07 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007383.exe (ID = 49862)
1:07 PM: C:\WINDOWS\Temp\Altnet\pmexe.cab (ID = 49854)
1:07 PM: C:\WINDOWS\Temp\Altnet\admdloader.dll (ID = 49786)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007379.exe (ID = 49793)
1:06 PM: C:\WINDOWS\Temp\Altnet\adm.exe (ID = 111765)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007316.dll (ID = 250397)
1:06 PM: C:\WINDOWS\Temp\Altnet\adm4.dll (ID = 49779)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007372.dll (ID = 165627)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007374.exe (ID = 111765)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007378.dll (ID = 165633)
1:06 PM: C:\WINDOWS\Temp\Altnet\dmfiles.cab (ID = 49818)
1:06 PM: C:\WINDOWS\Temp\Altnet\dminstall7.cab (ID = 49829)
1:06 PM: C:\WINDOWS\Temp\Altnet\pminstall.cab (ID = 49857)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007399.exe (ID = 243448)
1:06 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007405.exe (ID = 162703)
1:06 PM: C:\WINDOWS\Temp\Altnet\pmfiles.cab (ID = 49856)
1:06 PM: C:\WINDOWS\Temp\Altnet\admprog.dll (ID = 49790)
1:05 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007329.exe (ID = 49803)
1:05 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007366.Manifest (ID = 49859)
1:05 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007380.exe (ID = 49803)
1:05 PM: C:\Program Files\DownloadManager\insdl.dll (ID = 71040)
1:05 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007367.dll (ID = 49878)
1:05 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007344.exe (ID = 137345)
1:05 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007373.dll (ID = 165628)
1:04 PM: C:\WINDOWS\Temp\Altnet\adm25.dll (ID = 49782)
1:04 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007376.dll (ID = 165631)
1:04 PM: C:\WINDOWS\Temp\Altnet\Setup.exe (ID = 49875)
1:03 PM: C:\WINDOWS\Temp\Altnet\DMinfo3.cab (ID = 49824)
1:03 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007347.exe (ID = 137970)
1:03 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007369.exe (ID = 165635)
1:03 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007377.dll (ID = 165632)
1:03 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007332.dll (ID = 49878)
1:03 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP137\A0007324.exe (ID = 63654)
1:03 PM: C:\Program Files\MediaPipe\register.dll (ID = 71040)
1:03 PM: Found Adware: networkessentials
1:03 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP196\A0010972.dll (ID = 165717)
1:03 PM: Found Adware: instafinder
1:02 PM: C:\WINDOWS\Temp\Altnet\admfdi.dll (ID = 49789)
1:02 PM: C:\WINDOWS\Temp\Altnet\admdata.dll (ID = 49784)
1:02 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007381.dll (ID = 165637)
1:02 PM: C:\System Volume Information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP138\A0007357.dll (ID = 250397)
1:02 PM: Found Adware: topsearch
1:01 PM: C:\Program Files\RXToolBar (ID = 2147490879)
1:01 PM: Found Adware: rx toolbar
1:01 PM: C:\WINDOWS\Temp\Altnet (18 subtraces) (ID = 2147485861)
1:01 PM: C:\WINDOWS\Temp\BullGuard (1 subtraces) (ID = 2147490887)
1:01 PM: Found Adware: bullguard popup ad
1:01 PM: C:\Program Files\MediaPipe (4 subtraces) (ID = 2147497176)
1:01 PM: C:\My AccessMedia (1 subtraces) (ID = 2147498114)
1:01 PM: Starting File Sweep
1:01 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3762)
1:01 PM: Found Spy Cookie: zedo cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2142)
1:01 PM: Found Spy Cookie: adserver cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2337)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2335)
1:01 PM: Found Spy Cookie: burstbeacon cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3591)
1:01 PM: Found Spy Cookie: tripod cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3589)
1:01 PM: Found Spy Cookie: tribalfusion cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3581)
1:01 PM: Found Spy Cookie: trafficmp cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 6444)
1:01 PM: Found Spy Cookie: tacoda cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3447)
1:01 PM: Found Spy Cookie: statcounter cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3361)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3235)
1:01 PM: Found Spy Cookie: realmedia cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3217)
1:01 PM: Found Spy Cookie: questionmarket cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3111)
1:01 PM: Found Spy Cookie: partypoker cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 1958)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 1958)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 6442)
1:01 PM: Found Spy Cookie: mediaplex cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2652)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2089)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2651)
1:01 PM: Found Spy Cookie: fastclick cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2038)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 1958)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3362)
1:01 PM: Found Spy Cookie: sextracker cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2790)
1:01 PM: Found Spy Cookie: hitslink cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2369)
1:01 PM: Found Spy Cookie: ccbill cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2354)
1:01 PM: Found Spy Cookie: casalemedia cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2336)
1:01 PM: Found Spy Cookie: burstnet cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2314)
1:01 PM: Found Spy Cookie: bluestreak cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2253)
1:01 PM: Found Spy Cookie: atlas dmt cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2245)
1:01 PM: Found Spy Cookie: ask cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2175)
1:01 PM: Found Spy Cookie: advertising cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2155)
1:01 PM: Found Spy Cookie: adtech cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3148)
1:01 PM: Found Spy Cookie: pointroll cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2062)
1:01 PM: Found Spy Cookie: addynamix cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 2088)
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2088)
1:01 PM: Found Spy Cookie: adrevolver cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3400)
1:01 PM: Found Spy Cookie: specificclick.com cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 3751)
1:01 PM: Found Spy Cookie: yieldmanager cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 2037)
1:01 PM: Found Spy Cookie: about cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][2].txt (ID = 3665)
1:01 PM: Found Spy Cookie: websponsors cookie
1:01 PM: c:\documents and settings\owner\cookies\[email protected][1].txt (ID = 1957)
1:01 PM: Found Spy Cookie: 2o7.net cookie
1:01 PM: Starting Cookie Sweep
1:01 PM: Registry Sweep Complete, Elapsed Time:00:00:31
1:01 PM: HKU\S-1-5-21-3260517127-4111241513-634508805-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
1:01 PM: HKU\S-1-5-21-3260517127-4111241513-634508805-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
1:01 PM: Found Adware: starware toolbar
1:01 PM: HKLM\software\microsoft\code store database\distribution units\{ef98af7b-1f54-4079-91bc-3996deaba45a}\ (ID = 1022713)
1:01 PM: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ || c:\program files\p2pnetworks\p2pnetworks.exe (ID = 871570)
1:01 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mediapipe\ (ID = 867153)
1:01 PM: HKLM\software\microsoft\windows\currentversion\run\ || mediapipe p2p loader (ID = 867145)
1:01 PM: HKLM\software\classes\typelib\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (ID = 867115)
1:01 PM: HKLM\software\classes\typelib\{ab3b59a5-8bb4-46ab-a878-dfdb237d5bd5}\ (ID = 867095)
1:01 PM: HKLM\software\classes\typelib\{555fb512-9f3b-4359-9d2a-3c10e750ce5e}\ (ID = 867075)
1:01 PM: HKLM\software\classes\typelib\{45c2360e-bfdf-439b-a3ea-65e8383f9353}\ (ID = 867065)
1:01 PM: HKLM\software\classes\clsid\{b3e19860-0cd5-4991-a066-4fca2704de59}\ (ID = 867026)
1:01 PM: HKLM\software\classes\clsid\{48bb16aa-3f6c-4b28-9884-1fcec1c5da65}\ (ID = 867002)
1:01 PM: HKLM\software\classes\clsid\{1e9adaf2-4eda-4074-96ce-c9972e675c88}\ (ID = 866985)
1:01 PM: HKLM\software\classes\appid\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (ID = 866983)
1:01 PM: HKLM\software\classes\appid\{99c4f93d-42a7-478d-8746-4afb6c10bc26}\ (ID = 866981)
1:01 PM: HKLM\software\classes\appid\{9236268d-8b29-49e5-96d9-daf5fe76941c}\ (ID = 866979)
1:01 PM: HKLM\software\classes\appid\{4c0b0548-ae0b-4008-999d-db33b8b2eb90}\ (ID = 866973)
1:01 PM: HKLM\software\classes\appid\trayicon.exe\ (ID = 866971)
1:01 PM: HKLM\software\classes\appid\mpagent.dll\ (ID = 866967)
1:01 PM: HKLM\software\classes\appid\mediapipe.exe\ (ID = 866965)
1:01 PM: HKLM\software\classes\appid\downloadmanager.exe\ (ID = 866963)
1:01 PM: HKLM\software\classes\mpagent.agent.1\ (ID = 866947)
1:01 PM: HKLM\software\classes\mpagent.agent\ (ID = 866941)
1:01 PM: HKLM\software\classes\mediapipe.gui.1\ (ID = 866937)
1:01 PM: HKLM\software\classes\mediapipe.gui\ (ID = 866931)
1:01 PM: HKLM\software\classes\downloadmanager.manager.1\ (ID = 866927)
1:01 PM: HKLM\software\classes\downloadmanager.manager\ (ID = 866921)
1:01 PM: HKLM\software\mediapipe\ (ID = 866893)
1:01 PM: HKCR\typelib\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (ID = 866836)
1:01 PM: HKCR\typelib\{ab3b59a5-8bb4-46ab-a878-dfdb237d5bd5}\ (ID = 866816)
1:01 PM: HKCR\typelib\{555fb512-9f3b-4359-9d2a-3c10e750ce5e}\ (ID = 866796)
1:01 PM: HKCR\typelib\{45c2360e-bfdf-439b-a3ea-65e8383f9353}\ (ID = 866786)
1:01 PM: HKCR\clsid\{b3e19860-0cd5-4991-a066-4fca2704de59}\ (ID = 866747)
1:01 PM: Found Trojan Horse: p2pnetwork
1:01 PM: HKCR\clsid\{48bb16aa-3f6c-4b28-9884-1fcec1c5da65}\ (ID = 866723)
1:01 PM: HKCR\clsid\{1e9adaf2-4eda-4074-96ce-c9972e675c88}\ (ID = 866706)
1:01 PM: HKCR\appid\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (ID = 866704)
1:01 PM: HKCR\appid\{99c4f93d-42a7-478d-8746-4afb6c10bc26}\ (ID = 866702)
1:01 PM: HKCR\appid\{9236268d-8b29-49e5-96d9-daf5fe76941c}\ (ID = 866700)
1:01 PM: HKCR\appid\{4c0b0548-ae0b-4008-999d-db33b8b2eb90}\ (ID = 866694)
1:01 PM: HKCR\appid\trayicon.exe\ (ID = 866692)
1:01 PM: HKCR\appid\mpagent.dll\ (ID = 866688)
1:01 PM: HKCR\appid\mediapipe.exe\ (ID = 866686)
1:01 PM: HKCR\appid\downloadmanager.exe\ (ID = 866684)
1:01 PM: HKCR\mpagent.agent.1\ (ID = 866668)
1:01 PM: HKCR\mpagent.agent\ (ID = 866662)
1:01 PM: HKCR\mediapipe.gui.1\ (ID = 866658)
1:01 PM: HKCR\mediapipe.gui\ (ID = 866652)
1:01 PM: HKCR\downloadmanager.manager.1\ (ID = 866648)
1:01 PM: HKCR\downloadmanager.manager\ (ID = 866642)
1:01 PM: Found Adware: mediapipe
1:01 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (ID = 735573)
1:01 PM: Found Adware: security2k hijacker
1:01 PM: HKLM\software\classes\clsid\{ef98af7b-1f54-4079-91bc-3996deaba45a}\ (ID = 726877)
1:01 PM: HKLM\software\classes\clsid\{d099baaa-a587-4dfb-9b7e-f7ea0fc04355}\ (ID = 726862)
1:01 PM: HKLM\software\classes\clsid\{009506e8-8cad-4ca9-81d4-d815e7e4330a}\ (ID = 726847)
1:01 PM: HKLM\software\cursorcafe\ (ID = 726812)
1:01 PM: HKCR\clsid\{ef98af7b-1f54-4079-91bc-3996deaba45a}\ (ID = 726777)
1:01 PM: HKCR\clsid\{d099baaa-a587-4dfb-9b7e-f7ea0fc04355}\ (ID = 726762)
1:01 PM: HKCR\clsid\{009506e8-8cad-4ca9-81d4-d815e7e4330a}\ (ID = 726747)
1:01 PM: Found Adware: starware cursorcafe
1:01 PM: HKLM\software\screensavers.com\ (ID = 140569)
1:01 PM: Found Adware: comet systems
1:00 PM: HKLM\software\classes\appid\altnet signing module.exe\ (ID = 103489)
1:00 PM: HKLM\software\classes\appid\adm.exe\ (ID = 103488)
1:00 PM: HKCR\appid\altnet signing module.exe\ (ID = 103449)
1:00 PM: HKCR\appid\adm.exe\ (ID = 103448)
1:00 PM: Found Adware: altnet
1:00 PM: Starting Registry Sweep
1:00 PM: Memory Sweep Complete, Elapsed Time: 00:02:47
12:58 PM: Starting Memory Sweep
12:58 PM: Sweep initiated using definitions version 719
12:58 PM: Spy Sweeper 5.0.5.1286 started
12:58 PM: | Start of Session, Saturday, July 15, 2006 |
********
12:58 PM: | End of Session, Saturday, July 15, 2006 |
12:56 PM: None
12:56 PM: Traces Found: 0
12:56 PM: Memory Sweep Complete, Elapsed Time: 00:01:17
12:56 PM: Sweep Canceled
12:55 PM: Starting Memory Sweep
12:55 PM: Sweep initiated using definitions version 719
12:55 PM: Spy Sweeper 5.0.5.1286 started
12:55 PM: | Start of Session, Saturday, July 15, 2006 |
********
12:55 PM: | End of Session, Saturday, July 15, 2006 |
12:52 PM: Your spyware definitions have been updated.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\MCSHIELD.EXE
12:52 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
12:48 PM: Shield States
12:48 PM: Spyware Definitions: 691
12:48 PM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
12:46 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
12:46 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
12:28 PM: Shield States
12:28 PM: Spyware Definitions: 691
12:28 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
12:00 PM: Shield States
11:59 AM: Spyware Definitions: 691
11:59 AM: Spy Sweeper 5.0.5.1286 started
11:59 AM: Spy Sweeper 5.0.5.1286 started
11:59 AM: | Start of Session, Saturday, July 15, 2006 |
********

 

Logfile of HijackThis v1.99.1
Scan saved at 1:32:35 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Clean - If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?

Restore points
Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam