HJT version updated, pls analyze new log

[lydia]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:18:22 PM, on 5/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MICROS~5\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary

Internet Files\Content.IE5\K3EDODO7\HiJackThis_v2[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.spurgeongems.org/pdoh.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program

Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [OnAccess] "C:\Program

Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
O4 - HKUS\.DEFAULT\..\Run: [DLLSYC] dllsyc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [krkw] c:\stub_113_4_0_4_0newer.exe (User

'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop]  (User 'Default

user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows Kernel System Service]

wkssvr.exe (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program

Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program

Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1157952553075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client

/muweb_site.cab?1164807398496
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4E4D96D9-14E1-49E7-BB58-0329BA74C4C8

}: NameServer = 209.63.0.2 207.173.86.2
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\System32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program

Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner -

C:\WINDOWS\csrsc.exe (file missing)
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. -

C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System32 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)

--
End of file - 5964 bytes

[junior08jr8]

Hi lydia. Welcome to the 2-Spyware.com forums!

I'm sorry, but we don't accept HijackThis 2.0.0 (Beta) logs at the moment. Please download HijackThis 1.99.1 and post a new log.

[lydia]

Logfile of HijackThis v1.99.1
Scan saved at 10:20:39 AM, on 5/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\unzipped\hijackthis1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.spurgeongems.org/pdoh.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program

Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [OnAccess] "C:\Program

Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program

Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program

Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1157952553075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client

/muweb_site.cab?1164807398496
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4E4D96D9-14E1-49E7-BB58-0329BA74C4C8

}: NameServer = 209.63.0.2 207.173.86.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program

Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner -

C:\WINDOWS\csrsc.exe (file missing)
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. -

C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System32 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)

[Guest]

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your system seems to be infected with malicious parasites. Please follow the steps below in order to eliminate the infection and clean up your computer.

1.   Download the Pocket KillBox utility. You will need it later to delete parasite-related files and folders.
2. Use HijackThis to fix the following entries:

O23 - Service: System32 - Unknown owner -

3. The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
O17 -
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

4. Now restart your system in Safe Mode. This step is very important!
5.   Use the Pocket KillBox utility to delete the following files:



The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program
O2 - BHO: Google Toolbar Helper -
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat
O4 - HKCU\..\Run: [swg] C:\Program
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program
O4 - Global Startup: HotSync Manager.lnk = C:\Program
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
O23 - Service: FWService - eAcceleration Corp. - C:\Program
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
O23 - Service: Network Gateway Manager (npx) - Unknown owner -
O23 - Service: System64 - Unknown owner -
After going through all the steps, run another HijackThis scan and post a fresh log to the HijackThis analyzer. It is possible that some parasites your system was infected with were not removed completely and may restore themselves later.


If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer!

[GTO]

Hi lydia

Use HijackThis to fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O23 - Service: System32 - Unknown owner - C:\recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner - C:\recycler\bin32\services.exe (file missing)

The rest of your log looks clean to me.

Do you have any spyware-related problems?

[lydia]

Computer will suddenly start flickering, windows open like: system file, control panel, clock setting, and while this is happening if online, it closes my Outlook Express, or whatever window in IE Explorer I have open at the time. But, it will happen even when not online.
I did discover that if I do a ctrl+alt+delete to pull up the system processes, it stalls the 'whatever' and I then just close it without closing any running processes.
Am doing the recommended fixes in HJT log, but didn't know if I still need to download and run the PocketKillBox.
Thank you for your help

[GTO]

Hi lydia

You don't need to download Pocket KillBox at this moment.

Download the free version of SUPERAntiSpyware. Install the program, update its definitions and run a complete system scan.

Then you should run online virus scan. I highly recommend using Kaspersky Online Scanner.

Please let me know which results it returns.

[lydia]

Computer still keeps opening windows randomly, not browser pages, SuperAntiSpyware really found some items, it seems.
Kaspersky scan shows no problems.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/09/2007 at 11:53 PM

Application Version : 3.7.1018

Core Rules Database Version : 3235
Trace Rules Database Version: 1246

Scan type       : Complete Scan
Total Scan Time : 00:50:24

Memory items scanned      : 282
Memory threats detected   : 0
Registry items scanned    : 4469
Registry threats detected : 29
File items scanned        : 28802
File threats detected     : 53

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}
   HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}
   HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}\InprocServer32
   HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}\InprocServer32#ThreadingModel
   C:\PROGRA~1\EACCEL~1\ONACCESS\SEHK.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}
   HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@clicksor[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@media.intelia[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ads.realtechnetwork[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@cz3.clickzs[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@paypal.112.2o7[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyckajwbq.stats.esomniture[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@1071310764[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@webpower[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@mb[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@marketlive.122.2o7[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@nextag[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@sid[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@cs.sexcounter[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@a.websponsors[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@programs.wegcash[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@1070946220[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@cz6.clickzs[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@1072591130[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@mb[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@dillards.112.2o7[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@1070476569[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@mb[3].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[2].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.as4x.tmcs[1].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bluestreak[1].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@clickbank[1].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sales.liveperson[1].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[2].txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[1].txt
   C:\Documents and Settings\Default User.WINDOWS\Cookies\system@media.top-banners[1].txt

Adware.SurfSideKick
   C:\Documents and Settings\Administrator\Application Data\Sskdmns.dll

Trojan.NetMon/DNSChange
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.WinBo32/Enhance
   HKLM\Software\System\sysold
   HKLM\Software\System\sysold#win3207771-391085
   HKLM\Software\System\sysold#win3207771-391085.exe
   HKLM\Software\System\sysold#ntdll.dll
   HKU\.DEFAULT\Software\System\sysuid

Trojan.Unknown Origin
   C:\WINDOWS\UNINST2.HTM
   C:\WINDOWS\UNIST1.HTM

Adware.DollarRevenue
   C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[2].htm
   C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[4].htm
   C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[1].htm
   C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\ARKLMZUB\smartload_stats[1].htm
   C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[3].htm


Kaspersky scan results:
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 10, 2007 4:49:47 PMOperating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)Kaspersky Online Scanner version: 5.0.83.0Kaspersky Anti-Virus database last update: 10/05/2007Kaspersky Anti-Virus database records: 297202

Scan Settings
Scan using the following antivirus database   standard
Scan Archives   true
Scan Mail Bases   true

Scan Target   My Computer
A:\C:\D:\E:\

Scan Statistics
Total number of scanned objects   44425
Number of viruses found   0
Number of infected objects   0 / 0
Number of suspicious objects   0
Duration of the scan process   01:54:43

Infected Object Name   Virus Name   Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat    Object is locked    skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat    Object is locked    skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007051020070511\index.dat    Object is locked    skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9520.tmp    Object is locked    skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped

C:\Documents and Settings\Administrator\ntuser.dat    Object is locked    skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG    Object is locked    skipped

C:\Program Files\Documents To Go\DVZXLAddin.xla    Object is locked    skipped

C:\Program Files\eAcceleration\Firewall\filter.bdb    Object is locked    skipped

C:\Program Files\eAcceleration\Firewall\filter.log    Object is locked    skipped

C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat    Object is locked    skipped

C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat    Object is locked    skipped

C:\WINDOWS\Debug\ipsecpa.log    Object is locked    skipped

C:\WINDOWS\Debug\oakley.log    Object is locked    skipped

C:\WINDOWS\Debug\PASSWD.LOG    Object is locked    skipped

C:\WINDOWS\ModemLog_HSP56 MR.txt    Object is locked    skipped

C:\WINDOWS\SchedLog.Txt    Object is locked    skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{50AF3A81-D267-42BF-82C4-A6C101B3C388}.bin    Object is locked    skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log    Object is locked    skipped

C:\WINDOWS\Sti_Trace.log    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\default    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SAM    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SECURITY    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\software    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\system    Object is locked    skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT    Object is locked    skipped

C:\WINDOWS\WindowsUpdate.log    Object is locked    skipped

Scan process completed.


Thank you

[GTO]

Hi lydia

It seems that your operating system is malfunctioning. If Kaspersky and SUPERAntiSpyware didn't find anything, I don't think that any other antivirus or spyware remover will. Something is wrong here, and most likely it isn't malware at all.

I suggest reinstalling the operating system. Someone might still be able to fix it, but this would require physical access to your computer.

You can also try using System Restore.

[lydia]

Previous post shows all the adware, trojans, and surfsidekick found, ran SuperAntiSpyware in safe mode and found the following:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2007 at 01:10 AM

Application Version : 3.7.1018

Core Rules Database Version : 3235
Trace Rules Database Version: 1246

Scan type       : Complete Scan
Total Scan Time : 01:05:34

Memory items scanned      : 82
Memory threats detected   : 0
Registry items scanned    : 4498
Registry threats detected : 0
File items scanned        : 28884
File threats detected     : 1

Adware.Tracking Cookie
   C:\Documents and

Settings\Administrator\Cookies\administrator@2o7[1].txt

[GTO]

Hi lydia

Neither SurfSideKick, nor mentioned trojans can affect the system this way. It's not a malware problem, I think. It might be caused by parasites, but now I cannot tell you which system components are damaged. This requires physical access to your computer.

If you have the Windows XP installation disk, you should try using Windows File Protection to search for damaged system files and replace them with good copies. Press Start and select the Run... option. Type in sfc and press enter.

Let me know if this works.

[lydia]

Have operating system windows 2000-what are the steps to repair, or is it the same
Thank you for your continued support and replys.
I will do a system restore now.

[GTO]

Hi lydia

I complete forgot that you are running Windows 2000. Well, this OS doesn't have the System Restore feature. The sfc /scannow command should work, though.

If nothing helps, you should reinstall the operating system. However, if you don't know how to do this, please don't do it. Ask someone more experienced in computers. That's all I can do for you. I have no physical access to your computer, and therefore cannot reinstall the system for you.