Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't change hosts files or remove norton antivirus?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » March 20th, 2008, 12:34 pm

My norton antivirus account is set to expire tonight and a few days ago I purchased NOD32. So I went to remove anything Symantec in the add/remove screen and there are no change/remove buttons on any of these entries. As a matter of fact there are no change/remove buttons on half of the entries on add or remove screen. I tried to remove using CCleaner but that will not let me either. I noticed yesterday when trying to put in Ie-spyad to the hosts (using zoned out) that in the restricted sites part of security I have no control over the level and cannot change hosts files and I get a message at the bottom of the screen stating "some settings are managed by your system administrator". Let me assure you I am the admin, This is my laptop, no one should have any access to anything on here but me. If I go to accounts I am listed as the admin and there are no other accounts listed other than guest. I have a screen shot of the security window if that would help. The main problem that needs addressing now is to remove Norton so I can install Nod32 tonight if at all possible thank you for your help. Hjt log following. OOPS sorry I always forget I'm running XP sp2.

Logfile of HijackThis v1.99.1
Scan saved at 11:33:00 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Money 2006\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Pawsoft\Fass\Fass.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland
Advertisement
Register to Remove

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » March 25th, 2008, 7:36 am

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient as my posts to you have to be checked before I reply, so they make take longer.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » March 26th, 2008, 11:52 pm

Hi Scotty, my name is Mike. There has been a change since my post, I couldn't wait to have an anti-virus. I used the Symantec uninstaller to get that all off here and installed EEST SmartSecurity. I still have quite a few entries in Add\Remove with no remove button and still have no control over restricted sites. Sorry if my changes hinders diagnosis. If you are looking for Symantec in the log you will not find it. I can say that I was trying to remove my Tivo software and it was in the Add\Remove list without a button and there is no tivo entry in the HJT uninstall log. There are other things that do not match I will compare the lists and make note if you need it. I will post the requested log. Thank you for your help and patience.

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
AudibleManager
CCleaner (remove only)
Creative System Information
Creative ZEN
DeductionPro 2007
DVDFab Platinum 4.1.2.0
ESET Online Scanner
ESET Smart Security
GM MDI Software - 7.2.4
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows Media Player 11 (KB939683)
IrfanView (remove only)
iTunes
Java(TM) 6 Update 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
Panda ActiveScan
PaperPort
Pawsoft Fass
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SiteHound for Internet Explorer 2.0.0
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.0
SpywareGuard v2.2
TaxCut Illinois 2007
TaxCut Premium + State + Efile 2007
Tech2 SAE J2534 DLL
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VDR Host Application
Windows Media Player 10 Hotfix - KB895316
WinPatrol 2007
Yahoo! Messenger
ZENcast Organizer
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » March 27th, 2008, 5:21 am

Hi

Post a new HijackThis log just so we can see any changes. :)
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » March 27th, 2008, 9:38 am

Logfile of HijackThis v1.99.1
Scan saved at 8:37:23 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money 2006\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » March 27th, 2008, 11:29 am

Hi Mike

It doesnt look like a malware problem but we can see what leftovers need shifted.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. If asked to install HijackThis click on No
  4. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  5. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » March 27th, 2008, 1:25 pm

Thank you Scotty here are the logs. The main scan is first.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-03-27 12:15:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
62: 2008-03-27 17:16:06 UTC - RP582 - Deckard's System Scanner Restore Point
61: 2008-03-27 00:44:12 UTC - RP581 - System Checkpoint
60: 2008-03-25 15:24:05 UTC - RP580 - System Checkpoint
59: 2008-03-23 23:22:05 UTC - RP579 - System Checkpoint
58: 2008-03-22 19:38:09 UTC - RP578 - System Checkpoint

-- First Restore Point --
1: 2007-12-29 03:08:09 UTC - RP521 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:17:15 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money 2006\MNYCoreFiles\mnybbsvc.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9R9CHEOO\dss[1].exe
C:\PROGRA~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070624-103521-141 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
backup-20070624-103521-598 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20070624-103521-920 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20070715-225254-333 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070715-225254-344 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070715-225254-365 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070715-225254-519 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070715-225650-471 O8 - Extra context menu item: CallClerk Dial - file://C:\Program Files\CallClerk\callclerkdial.htm
backup-20070715-225650-716 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
backup-20070715-225650-723 O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 ASPI (Advanced SCSI Programming Interface Driver) - c:\windows\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
S3 BCM42RLY - c:\windows\system32\bcm42rly.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 P2k (Motorola iDEN P2k Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 SbcpHid - c:\windows\system32\drivers\sbcphid.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&AD1B67F&0&20F0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&AD1B67F&0&20F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4006A72E0B806
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4006A72E0B806
Service: NIC1394

Thank you Scotty here are the logs. Main scan is posted first.
-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

2008-03-26 16:32:23 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-03-23 20:37:29 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-23 19:37:11 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-03-23 01:27:02 0 d-------- C:\Program Files\KB824146Scan
2008-03-21 10:56:02 0 d-------- C:\Documents and Settings\Owner\Application Data\ESET
2008-03-21 10:54:00 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-19 23:17:02 0 d-------- C:\Program Files\EsetOnlineScanner
2008-03-18 21:51:47 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-03-18 12:54:38 0 d-------- C:\Documents and Settings\Owner\Application Data\SiteHound
2008-03-18 12:54:17 0 d-------- C:\Program Files\FireTrust
2008-03-18 12:15:42 0 d-------- C:\ie-spyad_zo
2008-03-18 11:00:49 0 d-------- C:\Program Files\CCleaner
2008-03-18 10:51:50 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 10:43:00 0 d-------- C:\Program Files\SpywareBlaster
2008-03-18 09:43:59 0 d-------- C:\Program Files\Lavasoft
2008-03-11 22:42:03 0 d-------- C:\Documents and Settings\Owner\Application Data\pdf995
2008-03-10 23:38:33 0 d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2008-03-10 23:38:23 0 d-------- C:\Program Files\BillP Studios
2008-03-01 22:50:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Creative
2008-03-01 22:26:07 53248 -----n--- C:\WINDOWS\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative Product Registration>
2008-03-01 22:23:29 0 d-------- C:\Program Files\Audible
2008-03-01 22:20:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-03-01 22:18:53 25088 -----n--- C:\WINDOWS\system32\CTSVCCTL.EXE <Not Verified; Creative Technology Ltd; Creative Service Control>
2008-03-01 22:18:53 44032 -----n--- C:\WINDOWS\system32\CTSVCCDA.EXE <Not Verified; Creative Technology Ltd; Creative Service for CDROM Access>
2008-03-01 22:18:22 0 d-------- C:\Program Files\Common Files\Creative
2008-03-01 22:18:18 0 d--h----- C:\Program Files\Creative Installation Information
2008-03-01 22:18:14 0 d-------- C:\Program Files\Creative
2008-02-28 09:51:28 0 d-------- C:\Program Files\GM MDI Software

-- Find3M Report ---------------------------------------------------------------

2008-03-23 23:16:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-03-23 21:19:16 0 d-------- C:\Program Files\DVDFab Platinum 3
2008-03-23 21:19:13 33 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2008-03-23 21:19:13 7824 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2008-03-23 21:19:12 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-23 21:19:12 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2008-03-23 21:09:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-23 21:08:57 5632 --ahs---- C:\Program Files\Thumbs.db
2008-03-23 19:37:52 0 d-------- C:\Program Files\DVD Shrink
2008-03-21 10:13:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-18 10:56:39 0 d-------- C:\Program Files\SpywareGuard
2008-03-18 10:55:57 0 d-------- C:\Program Files\TrojanHunter 4.6
2008-03-18 09:41:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 11:33:58 0 d-------- C:\Program Files\AFIT v1.02
2008-03-10 22:46:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 22:18:22 0 d-------- C:\Program Files\Common Files
2008-02-28 11:49:06 0 d-------- C:\Program Files\GM
2008-02-15 20:04:09 0 d-------- C:\Program Files\IrfanView
2008-02-11 09:39:26 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-11 09:39:18 237568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-10 21:02:08 0 d-------- C:\Program Files\DeductionPro 2007
2008-02-08 13:53:46 110592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2008-02-07 00:50:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-07 00:07:18 0 d-------- C:\Program Files\iTunes
2008-02-07 00:07:05 0 d-------- C:\Program Files\iPod
2008-02-07 00:05:07 0 d-------- C:\Program Files\QuickTime
2008-02-06 23:55:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-06 19:02:45 0 d-------- C:\Program Files\Microsoft Money 2006
2008-02-05 08:48:04 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe <Not Verified; ; OnlineScannerUninstaller>
2008-02-02 19:36:25 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-02-02 19:36:25 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-02-02 19:35:58 0 d-------- C:\Program Files\TaxCut06
2008-02-02 19:35:47 0 d-------- C:\Documents and Settings\Owner\Application Data\TaxCut
2008-02-02 19:35:28 0 d-------- C:\Program Files\TaxCut07
2008-01-27 21:22:16 1098 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/04/2004 06:47 PM]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/27/2008 12:38 AM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [02/20/2008 11:06 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cd9ac41-36be-11da-b2a1-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

-- Hosts -----------------------------------------------------------------------

216.19.0.250 idenupdate.motorola.com
127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com

8026 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-03-27 12:17:49 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1.73GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 510.48 MiB / 199.67 MiB
Pagefile Memory (total/avail): 1244.36 MiB / 990.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.81 MiB

C: is Fixed (NTFS) - 86.31 GiB total, 46.79 GiB free.
D: is Fixed (FAT32) - 6.83 GiB total, 3.92 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541010G9AT00 - 93.16 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 86.31 GiB - C:
\PARTITION1 - Unknown - 6.84 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ESET Personal firewall v3.0.642.0 (ESET, spol. s r. o.)
AV: ESET Smart Security 3.0 v3.0 (ESET, spol. s r. o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TECH132
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\TECH132
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=TECH132
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative Installation Information\CD_RIPPER_UNICODE_2\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\CREATIVE_SYNC_MANAGER_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\CREATIVE_VIDEO_CONVERTER\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\ZEN_MTP_MEDIA_EXPLORER\Setup.exe" /remove /l0x0009
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Hayes-Ligon\Warranty Wizard\wwuninst.exe
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B2DBF55-05D4-4072-87D8-689141E262BD}\SETUP.EXE" -l0x9 /remove
DeductionPro 2007 --> "C:\Program Files\InstallShield Installation Information\{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}\setup.exe" -runfromtemp -l0x0009 -removeonly
DVDFab Platinum 4.1.2.0 --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
ESET Smart Security --> MsiExec.exe /I{6ECB944F-D027-4E8A-9906-70E77C005AD5}
GM MDI Software - 7.2.4 --> MsiExec.exe /X{7B6996D0-DC4C-4258-935E-A56CA275DE73}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PaperPort --> MsiExec.exe /I{71C97545-E547-4A8B-B0C8-61FF853270AC}
Pawsoft Fass --> C:\Program Files\Pawsoft\Fass\uninst.exe
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SiteHound for Internet Explorer 2.0.0 --> C:\Program Files\FireTrust\SiteHound\uninstie.exe
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
TaxCut Illinois 2007 --> MsiExec.exe /X{EF9DCAA9-3635-4776-B0BA-14883C3C711D}
TaxCut Premium + State + Efile 2007 --> MsiExec.exe /X{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}
Tech2 SAE J2534 DLL --> MsiExec.exe /I{E1EB0C47-FC2D-4495-ACDC-60FC4640462E}
VDR Host Application --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE82D2E5-EE19-11D5-A705-00105A2357D6}\Setup.exe" -l0x9 UNINSTALL
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZENcast Organizer --> "C:\Program Files\Creative Installation Information\ZENCAST_ORGANIZER\Setup.exe" /remove /l0x0009

-- Application Event Log -------------------------------------------------------

Event Record #/Type16200 / Error
Event Submitted/Written: 03/24/2008 11:30:03 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type16199 / Error
Event Submitted/Written: 03/23/2008 07:46:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application j2534configapp.exe, version 1.0.3.0, faulting module j2534configapp.exe, version 1.0.3.0, fault address 0x0000558e.
Processing media-specific event for [j2534configapp.exe!ws!]

Event Record #/Type16196 / Error
Event Submitted/Written: 03/23/2008 01:10:04 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application j2534configapp.exe, version 1.0.3.0, faulting module j2534configapp.exe, version 1.0.3.0, fault address 0x0000558e.
Processing media-specific event for [j2534configapp.exe!ws!]

Event Record #/Type16194 / Error
Event Submitted/Written: 03/22/2008 11:29:46 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application j2534configapp.exe, version 1.0.3.0, faulting module j2534configapp.exe, version 1.0.3.0, fault address 0x0000558e.
Processing media-specific event for [j2534configapp.exe!ws!]

Event Record #/Type16191 / Error
Event Submitted/Written: 03/21/2008 02:58:43 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type98391 / Warning
Event Submitted/Written: 03/27/2008 08:03:04 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\PREFERRE-JC0W9Y on the network \Device\NetBT_Tcpip_{D40C1721-EF88-496F-AECA-03DE5BD8E4A6}.
The data is the error code.

Event Record #/Type98386 / Error
Event Submitted/Written: 03/26/2008 10:20:04 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type98385 / Error
Event Submitted/Written: 03/26/2008 10:19:56 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type98384 / Error
Event Submitted/Written: 03/26/2008 10:19:49 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type98383 / Error
Event Submitted/Written: 03/26/2008 10:19:42 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

-- End of Deckard's System Scanner: finished at 2008-03-27 12:17:49 ------------
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » March 29th, 2008, 4:13 pm

Hi
Please download Rootkit Revealer from Sysinternals and save it to your desktop.

  1. Right click on RootkitRevealer.zip and select Extract All....
  2. Click Next on seeing the Welcome screen.
  3. You will see a screen asking you to select where you want the files to be extracted to. By default, this will be desktop.
  4. Click Next again.
  5. Check (tick) Show extracted files box and click Finish.
  6. Double click on RootkitRevealer.exe to run it.
  7. A license agreement will be shown to you. Read through it and click on Agree.
  8. Click on Scan at the bottom right hand corner.
  9. When the scan is done, Rootkit Revealer will say Scan complete: X discrepancies found (X are numbers; message at the bottom left hand corner).
  10. Click on File > Save.
  11. By default, it would save to C:\Windows\System32 folder.
  12. Click on Desktop on the left, then click on the Save button.
  13. A RootkitRevealer.txt will be on your desktop.
  14. Open it, select all the contents, copy and paste the contents in your next reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » March 31st, 2008, 12:16 am

Hi Scotty,
I will do that, in the mean time I was thinking about somethings that might help. I was working on another computer and had a malware fighter tell me to use CCleaner to do something but explicitly told me not to use the Registry button which I had done before on this computer. I'm an idiot sometimes and was just clicking stuff. But that would have only been a few months ago. About a year ago I was doing some cleaning on this computer and I was just looking at my previous posts. In this post I was advised this
Unless you or an administrator purposely put restrictions on the Control Panel, check this one also.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
. There is, as I said earlier no admin other than me, however at that time I was taking my computer into work at a previous employer. could they have somehow put a policy in effect that is still active even though I'm not connected to their network?
I hate to waste the time of a malware fighter, you all do a great service and I do not want to waste the resources if it is not a malware issue. If it looks like my previous employer put a policy in place I would call that malware as this is my computer and I don't want their controlling it. If it looks like my modifying registry entries with CCleaner is the issue cut me loose and if you could direct me to a forum that could address my stupidity I would be thankful.
RootkitRevealer is finished running and found above 30 discrepancies but when I went to save the log I got a windows error that RootkitRevealer had an error and needed to close. I thought it saved the log but it was not on the desktop. I ran the scan again and only came up with 7 discrepancies. I went to save that log to desktop and had a message that file already existed under C:\Documents and Settings\LocalService\Desktop\RootkitReveal.txt so I typed that into run and here is that log.

HKLM\SECURITY\Policy\Secrets\SAC* 3/23/2005 6:27 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/23/2005 6:27 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 10/6/2005 5:36 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Motorola\PST\USBDriverVersionNumber 5/8/2007 5:22 AM 3 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Control\Motorola\PST\USBDriverVersionNumber 5/8/2007 5:22 AM 3 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Owner\Cookies\owner@mail.yahoo[3].txt 3/30/2008 10:06 PM 329 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@www.yahoo[2].txt 3/30/2008 10:08 PM 76 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@yahoo[1].txt 3/29/2008 5:04 PM 296 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Cookies\owner@yahoo[3].txt 3/30/2008 10:08 PM 460 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\003399[1].gif 3/30/2008 10:08 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\032008bcmythsfull[1].jpg 3/30/2008 10:08 PM 7.97 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\032008bcmythsthumb[1].jpg 3/30/2008 10:08 PM 1000 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\2d67e4253841ae49e2dc6d94ee48af21_1[1].gif 3/30/2008 10:06 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\5d2c387cb7f08b725803e9a31f9f390c_1[1].gif 3/30/2008 10:06 PM 11.97 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\633572_012808_06_14_06_heart_25x25_a[1].gif 3/30/2008 10:06 PM 941 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\6a05fd0b6f04d9098f9ddc6883f79114_1[1].gif 3/30/2008 10:06 PM 9.11 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\af8865ba34c413f0541600a97dfa0f88_1[1].gif 3/30/2008 10:06 PM 3.19 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\b15bfc7672e3088d0257e399ea93aa6a_1[1].gif 3/30/2008 10:06 PM 8.05 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\b[1].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\b[2].gif 3/30/2008 10:07 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\b[3].gif 3/30/2008 10:08 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\bc_2.0.4[2].js 3/30/2008 10:06 PM 1.99 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\bottom_header_bg[1].gif 3/30/2008 10:06 PM 146 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\box340x120[1].gif 3/30/2008 10:07 PM 738 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\conIC[1].gif 3/30/2008 10:06 PM 235 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\df3e567d6f16d040326c7a0ea29a4f41_1[1].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\dnserrordiagoff_webOC[1] 3/30/2008 10:03 PM 6.61 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\down[1] 3/30/2008 10:05 PM 3.33 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\fc[1].htm 3/30/2008 10:06 PM 2.22 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\fonts_200502080901[1].css 3/30/2008 10:05 PM 739 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\games_mario2_139x119[1].jpg 3/30/2008 10:08 PM 4.35 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\help[1] 3/30/2008 9:24 PM 1.01 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\iphone[1].jpg 3/30/2008 10:06 PM 968 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\ma_mail_1[1].gif 3/29/2008 5:04 PM 1.37 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\no[1].gif 3/30/2008 10:06 PM 42 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\photo-ffadult-r20-s2-134107155_66632.1.square[1].gif 3/30/2008 10:06 PM 2.38 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\photo-ffadult-r20-s2-134306345_50441.1.square[1].gif 3/30/2008 10:06 PM 2.92 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\photo-ffadult-r40-s2-59803036_75539.29217484.square[1].gif 3/30/2008 10:06 PM 2.48 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\proL[1].gif 3/30/2008 10:06 PM 51 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\trough-8x6[1].gif 3/30/2008 10:08 PM 1.32 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\upgrade_btn_l_new[1].gif 3/30/2008 10:06 PM 205 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\upsell_bottom[1].gif 3/30/2008 10:06 PM 50 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\upsell_top2[1].gif 3/30/2008 10:06 PM 63 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\video_new[1].jpg 3/30/2008 10:06 PM 8.14 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CGQTAD1Y\yahoo_com[1].htm 3/30/2008 10:08 PM 114.62 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\20070201_infinitygeneric_1_0[1].js 3/30/2008 10:06 PM 2.10 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\2360491782cdd2adc980127939c45f81_1[1].gif 3/30/2008 10:06 PM 362 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\492682203[1].gif 3/30/2008 10:07 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\633572_032808_25x25_redcherry_1207-01[1].gif 3/30/2008 10:06 PM 830 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\766897ec79c08647ae96fdf050a28fd8_1[1].js 3/30/2008 10:06 PM 163.01 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\b[1].gif 3/30/2008 10:08 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\blank[1].htm 3/30/2008 10:06 PM 717 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\bottom_bullet[1].gif 3/30/2008 10:06 PM 226 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\bottom_separator_h[1].gif 3/30/2008 10:06 PM 144 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\bradangie-sm[1].jpg 3/30/2008 10:08 PM 1.87 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\c8ad9845c9414424cb5854238af212b0_1[1].gif 3/30/2008 10:06 PM 729 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\capt.670b135c442d436c9c20a7cffe30da56.iraq_basra_bag103[1].jpg 3/30/2008 10:06 PM 5.30 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\combo[1] 3/30/2008 10:06 PM 1.01 MB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\combo[2] 3/30/2008 10:06 PM 742.88 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\dnserrordiagoff_webOC[1] 3/30/2008 9:52 PM 6.61 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\errorPageStrings[1] 3/30/2008 10:05 PM 850 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\favicon[4].ico 3/30/2008 10:08 PM 1.12 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\female[1].gif 3/30/2008 10:06 PM 4.75 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\gold_icon[1].gif 3/30/2008 10:06 PM 568 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\grd-1px_1.4[1].gif 3/30/2008 10:08 PM 1.13 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\help[2] 3/30/2008 10:05 PM 1.01 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\icons_1.8[1].gif 3/30/2008 10:08 PM 3.31 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\lightening_022207[1].gif 3/30/2008 10:06 PM 139 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\onload_1.4.2[1].css 3/30/2008 10:08 PM 6.59 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\onload_1.5.44[1].js 3/30/2008 10:08 PM 163.62 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\pa-icons2[1].gif 3/30/2008 10:08 PM 4.80 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\photo-ffadult-r20-s2-133955440_36483.1.square[1].gif 3/30/2008 10:06 PM 2.06 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\preview-br[1].gif 3/30/2008 10:07 PM 66 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\proB[1].gif 3/30/2008 10:06 PM 65 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\proBL[1].gif 3/30/2008 10:06 PM 188 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\proR[1].gif 3/30/2008 10:06 PM 64 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\proTR[1].gif 3/30/2008 10:06 PM 189 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\scottrade2[1].gif 3/30/2008 10:08 PM 925 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\smash-icon25x25_041306[1].gif 3/30/2008 10:06 PM 1.28 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\spacer[3].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\tab_icon[1] 3/30/2008 9:24 PM 4.43 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DQDSMI61\yps_olivegarden_pasta_160x600[1].gif 3/30/2008 10:06 PM 19.75 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\0308_fin_tax_v1[1].jpg 3/30/2008 10:08 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\032708_security_shield_h3[1].gif 3/30/2008 10:06 PM 3.57 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\1206_001_i_350200_f_90k_2[1].swf 3/30/2008 10:08 PM 16.77 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\23935_160x600_FCR_03[1].gif 3/30/2008 10:06 PM 10.66 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\572922_070907_25x25_score_692_1b[1].gif 3/30/2008 10:06 PM 1.39 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\70x50iltlb[1].gif 3/30/2008 10:08 PM 1.93 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\COB_home_equity_160x600_v2[1].jpg 3/30/2008 10:08 PM 23.32 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\cupid_header_logo_v200706[1].gif 3/30/2008 10:06 PM 3.36 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\domain[1].xml 3/30/2008 10:06 PM 639 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\ErrorPageTemplate[1] 3/30/2008 10:05 PM 2.12 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\favicon[4].ico 3/30/2008 10:06 PM 6.44 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\greeting_top[1].gif 3/30/2008 10:06 PM 310 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\hotIC[1].gif 3/30/2008 10:06 PM 248 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\httpErrorPagesScripts[1] 3/30/2008 9:24 PM 7.40 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\i1_lrec_2e[1].swf 3/30/2008 10:06 PM 13.69 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\infinity[1].xml 3/30/2008 10:06 PM 1.21 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\limesqueeze_071807[1].gif 3/30/2008 10:06 PM 636 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\lrec_20060816[1].js 3/30/2008 10:08 PM 1.48 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\ofhsSqN9JlfO0JCLf10qKQ--[1].xml 3/30/2008 10:06 PM 2.15 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\pa-preview-shadow[1].gif 3/30/2008 10:08 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\photo-ffadult-r20-s2-134923547_87714.1.square[1].gif 3/30/2008 10:06 PM 2.48 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\proT[1].gif 3/30/2008 10:06 PM 64 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\slper_000_E1_285_09608_MAX[1].jpg 3/30/2008 10:07 PM 8.02 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\spacer[3].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\spacer_1[1].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\spacer_1[2].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\sugarloot_email[1].gif 3/30/2008 10:07 PM 4.17 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\tab_icon[1] 3/30/2008 10:05 PM 4.43 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\tabswelcome[1] 3/30/2008 9:24 PM 12.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\upgrade_btn_r_new[1].gif 3/30/2008 10:06 PM 205 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\upsell_side_l[1].gif 3/30/2008 10:06 PM 50 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\upsell_side_r[1].gif 3/30/2008 10:06 PM 50 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\upsell_tl[1].gif 3/30/2008 10:06 PM 152 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\whitecards_6.11.07[1].gif 3/30/2008 10:06 PM 1.33 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\y3[1].gif 3/30/2008 10:08 PM 1.83 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FHBEUHZE\yodel[1].swf 3/30/2008 10:08 PM 6.00 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\23189_160x600_FCR_06[1].gif 3/30/2008 10:07 PM 14.05 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\49f37b07d2791ce15e6693795a6ad950_1[1].png 3/30/2008 10:06 PM 3.12 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\7d6ad24fab99cb91aa798ea33402f97a_1[1].png 3/30/2008 10:06 PM 2.20 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\84c7a2a39db2cc2e0bde472bf3042363_1[1].gif 3/30/2008 10:06 PM 1.47 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\_;ord=1206932900639351[1].htm 3/30/2008 10:08 PM 4.24 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\ad_eo_1.1[1].js 3/30/2008 10:08 PM 978 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\b[1].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\b[2].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\b[3].gif 3/30/2008 10:06 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\blank[1].htm 3/30/2008 10:05 PM 717 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\BMDC[1] 3/30/2008 10:06 PM 13.81 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\bottom_separator_v[1].gif 3/30/2008 10:06 PM 79 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\contextual_shortcuts_3.0.4[1].css 3/30/2008 10:07 PM 19.92 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\down[1] 3/30/2008 9:24 PM 3.33 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\errorPageStrings[2] 3/30/2008 9:52 PM 850 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\ErrorPageTemplate[1] 3/30/2008 9:52 PM 2.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\f79a4384df4e54e99c3e1b053debd5ce_1[1].png 3/30/2008 10:06 PM 18.07 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\fonts_200502080901[1].css 3/29/2008 5:04 PM 739 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\grd-4px_1.1[1].gif 3/30/2008 10:08 PM 5.61 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\highlight_icon[1].gif 3/30/2008 10:06 PM 919 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\httpErrorPagesScripts[1] 3/30/2008 10:05 PM 7.40 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\jayhawk-sm[1].jpg 3/30/2008 10:08 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\js_2.84[1].js 3/30/2008 10:08 PM 95.67 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\liam_horizontal_full[1].jpg 3/30/2008 10:06 PM 27.05 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\ma_mail_1[1].gif 3/30/2008 10:05 PM 1.37 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\proBR[1].gif 3/30/2008 10:06 PM 188 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\proSEP[1].gif 3/30/2008 10:06 PM 65 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YSO63J\proTL[1].gif 3/30/2008 10:06 PM 188 bytes Hidden from Windows API.

Here is the second log.

HKLM\SECURITY\Policy\Secrets\SAC* 3/23/2005 6:27 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/23/2005 6:27 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 10/6/2005 5:36 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Motorola\PST\USBDriverVersionNumber 5/8/2007 5:22 AM 3 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Control\Motorola\PST\USBDriverVersionNumber 5/8/2007 5:22 AM 3 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP585\A0105090.ver 3/26/2008 4:27 PM 21.01 KB Hidden from Windows API.
D: 0 bytes Error mounting volume
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » April 6th, 2008, 2:47 pm

Hi

Sorry for the delay.

  1. Please download regsearch.zip and save it to your desktop.
  2. Right click on regsearch.zip and select Extract All....
  3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  4. Click on the Browse button. Click on Desktop. Then click OK.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on regsearch.exe to run it.
  7. Copy and paste HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
    and
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
    under Enter search strings (case independent) and click OK... (boxed up in red in the screenshot below).

    Image
  8. Click OK.
  9. When done, RegSearch.txt will open. Please post the contents of this file in your next reply. This file can also be found on your desktop or wherever regsearch is extracted to.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » April 7th, 2008, 9:42 pm

Hi Scotty,
Here is the log.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 4/7/2008 8:34:00 PM for strings:
; 'hkey_local_machine\software\policies\microsoft\internet explorer
hkey_local_machine\software\policies\microsoft\internet explorer
hkey_local_machine\software\policies\microsoft\internet explorer'
; 'hkey_current_user\software\policies\microsoft\internet explorer'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

; End Of The Log...
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » April 8th, 2008, 11:29 am

Hi

Please download FixPolicies (by Bill Castner) and save it to your desktop.

  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

Now post a new HijackThis log, and tell me if you still need rid of Tivo
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » April 8th, 2008, 8:40 pm

Hi Scotty,
Here is the HJT log. There is still not a remove button for any of these programs---AFIT v1.02, Intel(R) Integrated Performance Primitives RTI 4.0, Java(TM) SE Runtime Environment 6 Update 1, Microsoft Digital Image Library 9- Blocker, Microsoft Office Professional Edition 2003, Microsoft Picture It! Library 10, Microsoft Picture It! Premium 10, Microsoft Works, Microsoft XML Parser, MSXML 4.0 SP2 (KB927978), MyJAL Media PAL, Recovery Software Suite Gateway, SI Tiff Viewer Plugin v4, TiVo Desktop, TIxx21,WebFldrs XP, and Windows Genuine Advantage v1.3.0254.0,
Also I am still unable to modify restricted sites in IE7.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:30 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [StickyPassword] C:\Program Files\Sticky Password\stpass.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PMLY - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\PMLY.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)

Also I hate to be off topic (let me know if I should post this as a new question) but I was messing with password managers and loaded trials for sticky password and RoboForm as the new HJT shows. There seem to be alot of new entries in the log for Roboform, are these considered malicious or helpful programs in your experience?
Thank you, Mike.
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland

Re: Can't change hosts files or remove norton antivirus?

Unread postby Scotty » April 10th, 2008, 5:30 am

Hi

There is no evidence of malware on your computer. The Hosts file appears to be the one set by Spybot S&D. There is a how-to
HERE on modifying the file through Spybot, if you feel it necessary.

The programs you listed arent in your Uninstall List, so perhaps they are leftovers from previous applications. Did you delete them or try uninstalling them previously?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Can't change hosts files or remove norton antivirus?

Unread postby minibike132 » April 10th, 2008, 12:48 pm

The programs you listed arent in your Uninstall List, so perhaps they are leftovers from previous applications. Did you delete them or try uninstalling them previously?


No they are all programs that still exist, never tried uninstalling any of them.
User avatar
minibike132
Regular Member
 
Posts: 53
Joined: June 6th, 2007, 11:28 pm
Location: Chicagoland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware