HJT version updated, pls analyze new log

lydia · Joined: 05 May 2007 Posts: 6

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:18:22 PM, on 5/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MICROS~5\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary

Internet Files\Content.IE5\K3EDODO7\HiJackThis_v2[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.spurgeongems.org/pdoh.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program

Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [OnAccess] "C:\Program

Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
O4 - HKUS\.DEFAULT\..\Run: [DLLSYC] dllsyc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [krkw] c:\stub_113_4_0_4_0newer.exe (User

'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default

user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows Kernel System Service]

wkssvr.exe (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program

Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program

Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1157952553075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client

/muweb_site.cab?1164807398496
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4E4D96D9-14E1-49E7-BB58-0329BA74C4C8

}: NameServer = 209.63.0.2 207.173.86.2
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\System32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program

Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner -

C:\WINDOWS\csrsc.exe (file missing)
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. -

C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System32 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)

--
End of file - 5964 bytes

junior08jr8 · Joined: 25 Jun 2006 Posts: 194

Hi lydia. Welcome to the 2-Spyware.com forums!

I'm sorry, but we don't accept HijackThis 2.0.0 (Beta) logs at the moment. Please download HijackThis 1.99.1 and post a new log.

lydia · Joined: 05 May 2007 Posts: 6

Logfile of HijackThis v1.99.1
Scan saved at 10:20:39 AM, on 5/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\unzipped\hijackthis1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.spurgeongems.org/pdoh.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program

Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [OnAccess] "C:\Program

Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program

Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program

Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1157952553075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client

/muweb_site.cab?1164807398496
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4E4D96D9-14E1-49E7-BB58-0329BA74C4C8

}: NameServer = 209.63.0.2 207.173.86.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program

Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner -

C:\WINDOWS\csrsc.exe (file missing)
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. -

C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System32 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner -

C:\recycler\bin32\services.exe (file missing)

HJT Analyzer · Joined: 15 Mar 2006 Posts: 644

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your system seems to be infected with malicious parasites. Please follow the steps below in order to eliminate the infection and clean up your computer.

1. Download the Pocket KillBox utility. You will need it later to delete parasite-related files and folders.
2. Use HijackThis to fix the following entries:

O23 - Service: System32 - Unknown owner -

3. The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
O17 -
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

4. Now restart your system in Safe Mode. This step is very important!
5. Use the Pocket KillBox utility to delete the following files:

The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program
O2 - BHO: Google Toolbar Helper -
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat
O4 - HKCU\..\Run: [swg] C:\Program
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program
O4 - Global Startup: HotSync Manager.lnk = C:\Program
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
O23 - Service: FWService - eAcceleration Corp. - C:\Program
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
O23 - Service: Network Gateway Manager (npx) - Unknown owner -
O23 - Service: System64 - Unknown owner -
After going through all the steps, run another HijackThis scan and post a fresh log to the HijackThis analyzer. It is possible that some parasites your system was infected with were not removed completely and may restore themselves later.

If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer!

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi lydia

Use HijackThis to fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O23 - Service: System32 - Unknown owner - C:\recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner - C:\recycler\bin32\services.exe (file missing)

The rest of your log looks clean to me.

Do you have any spyware-related problems?

lydia · Joined: 05 May 2007 Posts: 6

Computer will suddenly start flickering, windows open like: system file, control panel, clock setting, and while this is happening if online, it closes my Outlook Express, or whatever window in IE Explorer I have open at the time. But, it will happen even when not online.
I did discover that if I do a ctrl+alt+delete to pull up the system processes, it stalls the 'whatever' and I then just close it without closing any running processes.
Am doing the recommended fixes in HJT log, but didn't know if I still need to download and run the PocketKillBox.
Thank you for your help

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi lydia

You don't need to download Pocket KillBox at this moment.

Download the free version of SUPERAntiSpyware. Install the program, update its definitions and run a complete system scan.

Then you should run online virus scan. I highly recommend using Kaspersky Online Scanner.

Please let me know which results it returns.

lydia · Joined: 05 May 2007 Posts: 6

Computer still keeps opening windows randomly, not browser pages, SuperAntiSpyware really found some items, it seems.
Kaspersky scan shows no problems.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/09/2007 at 11:53 PM

Application Version : 3.7.1018

Core Rules Database Version : 3235
Trace Rules Database Version: 1246

Scan type : Complete Scan
Total Scan Time : 00:50:24

Memory items scanned : 282
Memory threats detected : 0
Registry items scanned : 4469
Registry threats detected : 29
File items scanned : 28802
File threats detected : 53

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}
HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}
HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}\InprocServer32
HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}\InprocServer32#ThreadingModel
C:\PROGRA~1\EACCEL~1\ONACCESS\SEHK.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}
HKCR\CLSID\{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicksor[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.intelia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realtechnetwork[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cz3.clickzs[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@paypal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyckajwbq.stats.esomniture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1071310764[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@webpower[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mb[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@marketlive.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@nextag[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sid[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cs.sexcounter[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a.websponsors[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@programs.wegcash[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1070946220[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cz6.clickzs[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1072591130[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mb[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dillards.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1070476569[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mb[3].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bluestreak[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@sales.liveperson[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[1].txt
C:\Documents and Settings\Default User.WINDOWS\Cookies\system@media.top-banners[1].txt

Adware.SurfSideKick
C:\Documents and Settings\Administrator\Application Data\Sskdmns.dll

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.WinBo32/Enhance
HKLM\Software\System\sysold
HKLM\Software\System\sysold#win3207771-391085
HKLM\Software\System\sysold#win3207771-391085.exe
HKLM\Software\System\sysold#ntdll.dll
HKU\.DEFAULT\Software\System\sysuid

Trojan.Unknown Origin
C:\WINDOWS\UNINST2.HTM
C:\WINDOWS\UNIST1.HTM

Adware.DollarRevenue
C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[2].htm
C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[4].htm
C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[1].htm
C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\ARKLMZUB\smartload_stats[1].htm
C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\4Z2DQHWF\smartload_stats[3].htm

Kaspersky scan results:
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 10, 2007 4:49:47 PMOperating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)Kaspersky Online Scanner version: 5.0.83.0Kaspersky Anti-Virus database last update: 10/05/2007Kaspersky Anti-Virus database records: 297202

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\C:\D:\E:\

Scan Statistics
Total number of scanned objects 44425
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:54:43

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007051020070511\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9520.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Documents To Go\DVZXLAddin.xla Object is locked skipped

C:\Program Files\eAcceleration\Firewall\filter.bdb Object is locked skipped

C:\Program Files\eAcceleration\Firewall\filter.log Object is locked skipped

C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\WINDOWS\Debug\ipsecpa.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_HSP56 MR.txt Object is locked skipped

C:\WINDOWS\SchedLog.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{50AF3A81-D267-42BF-82C4-A6C101B3C388}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thank you

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi lydia

It seems that your operating system is malfunctioning. If Kaspersky and SUPERAntiSpyware didn't find anything, I don't think that any other antivirus or spyware remover will. Something is wrong here, and most likely it isn't malware at all.

I suggest reinstalling the operating system. Someone might still be able to fix it, but this would require physical access to your computer.

You can also try using System Restore.

lydia · Joined: 05 May 2007 Posts: 6

Previous post shows all the adware, trojans, and surfsidekick found, ran SuperAntiSpyware in safe mode and found the following:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2007 at 01:10 AM

Application Version : 3.7.1018

Core Rules Database Version : 3235
Trace Rules Database Version: 1246

Scan type : Complete Scan
Total Scan Time : 01:05:34

Memory items scanned : 82
Memory threats detected : 0
Registry items scanned : 4498
Registry threats detected : 0
File items scanned : 28884
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and

Settings\Administrator\Cookies\administrator@2o7[1].txt

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi lydia

Neither SurfSideKick, nor mentioned trojans can affect the system this way. It's not a malware problem, I think. It might be caused by parasites, but now I cannot tell you which system components are damaged. This requires physical access to your computer.

If you have the Windows XP installation disk, you should try using Windows File Protection to search for damaged system files and replace them with good copies. Press Start and select the Run... option. Type in sfc and press enter.

Let me know if this works.

lydia · Joined: 05 May 2007 Posts: 6

Have operating system windows 2000-what are the steps to repair, or is it the same
Thank you for your continued support and replys.
I will do a system restore now.

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi lydia

I complete forgot that you are running Windows 2000. Well, this OS doesn't have the System Restore feature. The sfc /scannow command should work, though.

If nothing helps, you should reinstall the operating system. However, if you don't know how to do this, please don't do it. Ask someone more experienced in computers. That's all I can do for you. I have no physical access to your computer, and therefore cannot reinstall the system for you.