View Full Version : [LOGS] CMDService HELP me remove it...please
This is my first post, be kind..:)
Can someone help me remove cmdservice?
lewien
Logfile of HijackThis v1.99.1
Scan saved at 6:12:08 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\3232363A3A3D3E.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.65.30:3456
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/c2c/grinstall_c2c1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
hi
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
then launch ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.
reboot back to normal mode, post the ewido report and a log from a fresh hjt scan
hyjack report.....................after ewido scan
Logfile of HijackThis v1.99.1
Scan saved at 6:56:24 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.65.30:3456
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [5D5D61656568696B] 3232363A3A3D3E.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykoiwq.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/c2c/grinstall_c2c1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
ewida scan report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 6:53:05 PM, 2/23/2006
+ Report-Checksum: B9FBD147
+ Scan result:
HKLM\SOFTWARE\Classes\actsetup.ActSetupObj -> Adware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\actsetup.ActSetupObj\CLSID -> Adware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\actsetup.ActSetupObj\CurVer -> Adware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\actsetup.ActSetupObj.1 -> Adware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{392BAF48-A26A-45B5-9263-97128E429268} -> Adware.AdBlaster : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Adware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683} -> Trojan.VB.aft : Cleaned with backup
HKU\S-1-5-21-166745521-4217759621-2681017343-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-166745521-4217759621-2681017343-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKU\S-1-5-21-166745521-4217759621-2681017343-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-166745521-4217759621-2681017343-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683} -> Trojan.VB.aft : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\My Documents\New Folder\backups\backup-20040901-161942-123.dll -> Downloader.Lemmy.u : Cleaned with backup
C:\n.exe -> Downloader.Small.cdy : Cleaned with backup
C:\Program Files\2524408\2524408.exe -> Adware.VirtualBouncer : Cleaned with backup
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-500\Dc5.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdToolsX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UERS_0001_NI531020NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.f : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\USYP_0001_N57M2911NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\WINDOWS\dvhqhuoz.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\elitemediapop.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\htwfdr.exe -> Downloader.Small.bmx : Cleaned with backup
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\inst_FI002.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\prelimhanse.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\pss\piqh.exeCommon Startup -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\Sngsh40.dll -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\stub_110_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\WINDOWS\system\sngsh35.dll -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup
C:\WINDOWS\system32\b2search.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\bGs.dll -> Dropper.Small.abe : Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\bUS.dll -> Dropper.Small.abe : Cleaned with backup
C:\WINDOWS\system32\cxdxregt.exe -> Downloader.Agent.tq : Cleaned with backup
C:\WINDOWS\system32\eliteerror32.dat -> Hijacker.StartPage.nk : Cleaned with backup
C:\WINDOWS\system32\esysghiz.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\irssyncd.exe -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\jcna.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\mpdevqaw.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\mseggo.gif -> Logger.Delf.dx : Cleaned with backup
C:\WINDOWS\system32\msfaol.dll -> Adware.ClientMan : Cleaned with backup
C:\WINDOWS\system32\msiaih.dll -> Adware.Ipend : Cleaned with backup
C:\WINDOWS\system32\msnimk.gif -> Adware.Ipend : Cleaned with backup
C:\WINDOWS\system32\ngsh35.dll -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\qtdevrap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\qvyap.dat -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\rlls.dll -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\rpdsrego.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rqdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\sms_msn.exe -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Hijacker.StartPage.nk : Cleaned with backup
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll_tobedeleted -> Downloader.Qoologic.ae : Cleaned with backup
C:\WINDOWS\system32\wudxregt.exe -> Downloader.Agent.tq : Cleaned with backup
C:\WINDOWS\system32\ysyswv6d.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\titsvotf.exe -> Downloader.Small.bmx : Cleaned with backup
C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup
F:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Df1\backups\backup-20040901-161942-123.dll -> Downloader.Lemmy.u : Cleaned with backup
F:\Taylors Back up\My Documents\New Folder\backups\backup-20040901-161942-123.dll -> Downloader.Lemmy.u : Cleaned with backup
::Report End
hi
open hijackthis
click do a system scan only
checkmark these :R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.65.30:3456fix this only if not set by you or your admin
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O4 - HKLM\..\Run: [5D5D61656568696B] 3232363A3A3D3E.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykoiwq.exe reg_run
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...2c1002_sp2.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
then close the browser and allother windows, leaving only hijackthis running
and click fix checkec
reboot
go to Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm)
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
ol...I've completed the steps you requested. One note, ykoiwq.exe reg_run was not in my hijack scan. Ewido blocked it. Also I'm running MS Antispyware and it ran a scan after I ran hijack and removed the items you noted.
here's my logs:
Logfile of HijackThis v1.99.1
Scan saved at 3:12:00 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Incident Status Location
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip[Beyond.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip[NewURLClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip[Matrix.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip[Counter.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip[Parser.class]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@2o7[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ath.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@belnk[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@casalemedia[1].txt
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@date[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@doubleclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@perf.overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@realmedia[1].txt
Adware:adware/elitebar Not disinfected C:\WINDOWS\Downloaded Program Files\OSDEB.OSD
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\bi6.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\biG.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\biU.inf
Adware:Adware/WUpd Not disinfected C:\WINDOWS\lc.exe
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WINDOWS\pf78.exe
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\bgabgbot.html
Adware:Adware/Transponder Not disinfected C:\WINDOWS\system32\biU.exe0
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\cspspkbt.html
Spyware:spyware/whazit Not disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\fjfvjugnmt.html
Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\mgghv.html
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\system32\mscgdc.dll
Adware:Adware/Hotoffers Not disinfected C:\WINDOWS\system32\msodae.dll
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\nczdvmkieuzh.html
Adware:adware/hotoffers Not disinfected C:\WINDOWS\system32\Party Poker.ico
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\psowi.html
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\qirgtkmxb.html
Adware:Adware/ClkOptimizer Not disinfected C:\WINDOWS\system32\qvyap.dat
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\trart.html
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\unirimon.exe
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\uteqccnoxkytirewfz.html
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\wreswed.html
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\xhhdmwaggqpzob.html
Adware:Adware/ClkOptimizer Not disinfected C:\WINDOWS\system32\ykoiwq.exe
Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\zokzihzzghjdkvutt.html
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WINDOWS\tmp333.exe
one last thing. MS AntiSpyware (Beta 1) has a log of what it did. I cant see any way to save a report to send to you.
I "spoke" too soon.
Here's the MS scan results:
Spyware Scan Details
Start Date: 2/25/2006 11:32:50 AM
End Date: 2/25/2006 11:41:02 AM
Total Time: 8 mins 12 secs
Detected Threats
TV Media Display Adware more information...
Details: TV Media Display is secretly installed on your computer to display advertising, usually pop-ups.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\documents and settings\taylor newcomb\application data\tvmcwrd.dll
c:\documents and settings\taylor newcomb\application data\tvmknwrd.dll
CoolWebSearch.StartPage Browser Modifier more information...
Details: CoolWebSearch StartPage changes Internet Explorers start page, however, it does not allow you to change the URL.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page_bak
AproposMedia Browser Modifier more information...
Details: AproposMedia is a browser modifier that installs with PeopleOnPage (POP). AproposMedia displays pop-up advertisements and changes browser settings.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32 C:\Program Files\CxtPls\CxtPls.exe
HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID
HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID
HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
ShopAtHome Spyware more information...
Details: ShopAtHome is a browser redirector that monitors your browsing behavior and online purchases.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
C:\WINDOWS\Downloaded Program Files\GRInstall6.dll
webHancer Spyware more information...
Details: WebHancer is a spyware program that launches at Windows startup, monitors the Web sites you view, and sends their performance data back to webHancers servers.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\windows\winskw\jau5055.dat
c:\windows\winskw\jsy5055.dat
c:\windows\winskw\rge5055.dat
c:\windows\winskw\sty5055.dat
c:\windows\winskw\ydn5055.dat
Infected folders detected
c:\windows\winskw
Comet Systems Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\windows\downloaded program files\dm.inf
c:\windows\inf\dm.inf
c:\windows\inf\dm.pnf
Internet Enhancement Pak Adware more information...
Details: Internet Enhancement Pak is adware that is bundled in free software products.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
C:\WINDOWS\Downloaded Program Files\actsetup.inf
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\VersionIndependentProgID actsetup.ActSetupObj
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} CActSetupObj Object
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 C:\WINDOWS\Downloaded Program Files\actsetup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 ThreadingModel apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus\1 131473
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus 0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ProgID actsetup.ActSetupObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ToolboxBitmap32 C:\WINDOWS\Downloaded Program Files\actsetup.dll, 1
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 C:\WINDOWS\Downloaded Program Files\actsetup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\TypeLib {3CA12D40-90E0-4E18-A5EA-9C27B38A9228}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\VersionIndependentProgID actsetup.ActSetupObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} CActSetupObj Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\system32\mfc42.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\system32\msvcrt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\system32\olepro32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\Downloaded Program Files\actsetup.dll
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 ThreadingModel apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\DownloadInformation CODEBASE http://www.odysseusmarketing.com/actsetup.cab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\DownloadInformation INF C:\WINDOWS\Downloaded Program Files\actsetup.inf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InstalledVersion 1,0,0,1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InstalledVersion LastModified Thu, 27 Jan 2005 22:39:14 GMT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} SystemComponent 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} Installer MSICD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/actsetup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/actsetup.dll .Owner {BAB3E70B-A847-4A88-ACFC-778FCCC00287}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/actsetup.dll {BAB3E70B-A847-4A88-ACFC-778FCCC00287}
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus\1 131473
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus 0
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ProgID actsetup.ActSetupObj.1
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ToolboxBitmap32 C:\WINDOWS\Downloaded Program Files\actsetup.dll, 1
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\TypeLib {3CA12D40-90E0-4E18-A5EA-9C27B38A9228}
HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Version 1.0
WinSoftware.Winfixer Potentially Unwanted Software more information...
Details: Winfixer is known to be installed through inappropriate bundling and without users consent. It is a software that scans the users system for damaged files and attempts to fix it if the user pays a fee.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
C:\WINDOWS\system32\drivers\d_kmd.sys
EliteMedia Adware more information...
Details: Opens attributed popup advertisements. Adds their website to the Trusted Zones list.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
C:\WINDOWS\eliteunstall.exe
Bitlocker Browser Modifier more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\windows\system32\nsb3af.dll
c:\windows\system32\nsc441.dll
c:\windows\system32\nsl3c.dll
c:\windows\system32\nsm9c.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7} The Gimp
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24.1
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24.1\CLSID {01EB5130-FC0C-4d75-B9CE-4801B1B854F5}
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24.1 bitlocker
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24\CLSID {01EB5130-FC0C-4d75-B9CE-4801B1B854F5}
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24\CurVer Le.Toy24.1
HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24 bitlocker
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp.1
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp.1\CLSID {10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
HKEY_CLASSES_ROOT\ONONE.Thegimp.1
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp.1 The Gimp
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp\CLSID {10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp\CurVer ONONE.Thegimp.1
HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp The Gimp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker affilate_id Justin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker request_queue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker version 1.32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker db_number 2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ONONE.Thegimp.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker popup_delay 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker refresh_time 60
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker related_pop_type popunder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ezula_maxdup 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker rand_context_distortion 5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker navigation_error http://69.42.87.219/e.html
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker popup_time_distortion 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ezula_maxhilight 7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker rand_contextual_pop_type popunder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker popup_ctx_delay 25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ezula_enabled true
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker random_contextual_enabled true
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker program_push_enabled true
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker icon_drop_enabled true
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker related_popups_enabled true
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker internal_affiliate_id 766
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\InprocServer32 C:\WINDOWS\system32\nsm9C.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker country_id 225
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker install_timestamp 1138590229
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_refresh_time 1139681991
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_ezulasync 1138232405
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker push_list
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_push_time 1138590152
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker pushed_already
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker date 20060211182546
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker update_url http://new.trafficsector.com/smb/admin/files/adsetup_silent.1.32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ctx_popup_shown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker next_ctx_popup_time 1139682984
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_ezula_update_ID 566
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker next_related_time 1139682731
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker installation_id fb577dc9-3b2a-4211-9718-91a507ec4bcf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker user_id 97901
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\ProgID ONONE.Thegimp.1
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\TypeLib {82910CE3-D86A-435a-A519-6A8C369855D3}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\VersionIndependentProgID ONONE.Thegimp
IBIS Toolbar Adware more information...
Details: IBIS Toolbar is an Internet Explorer search redirector.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0 Toolbar Library
HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\0\win32 C:\PROGRA~1\Toolbar\toolbar.dll
HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\FLAGS 4
HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\HELPDIR C:\PROGRA~1\Toolbar\
HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0 Toolbar Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\0\win32 C:\PROGRA~1\Toolbar\toolbar.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\FLAGS 4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\HELPDIR C:\PROGRA~1\Toolbar\
Virtual Bouncer Adware more information...
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.
Infected files detected
c:\windows\system32\innervbinstall.log
TopRebates.WebRebates Adware more information...
Details: TopRebates is a browser toolbar that can display pop-up advertisements and monitor your Web browsing activities.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.
Infected files detected
c:\windows\artmmp.ini
DelFin.Media Viewer Adware more information...
Details: DelFin Media Viewer, also called PromulGate, is an adware-based media player.
Status: Quarantined
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.
Infected files detected
c:\documents and settings\all users\application data\pcsvc\adverts\dmv_pop_dp-us-t.dfn
c:\documents and settings\all users\application data\pcsvc\adverts\ink_inkline002-t.dfn
c:\documents and settings\all users\application data\pcsvc\adverts\ink_inkline006-t.dfn
c:\documents and settings\all users\application data\pcsvc\adverts\ink_inkline023-t.dfn
c:\documents and settings\all users\application data\pcsvc\adverts\qf_040226-a203.dfn
Infected folders detected
c:\documents and settings\all users\application data\pcsvc
c:\documents and settings\all users\application data\pcsvc\adverts
Claria.GAIN Adware more information...
Details: Claria.GAIN displays pop-up advertisements based on collected information about you and your Web browsing activities. Claria.GAIN is bundled with advertisement-supported programs from Claria and other companies.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.
Infected files detected
c:\windows\gatorpatch.log
PowerReg Scheduler Potentially Unwanted Software more information...
Details: PowerReg Scheduler is a registration system used by some legitimate software programs.
Status: Quarantined
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.
Infected files detected
C:\Documents and Settings\Taylor Newcomb\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Detected Spyware Cookies
No spyware cookies were found during this scan.
ykoiwq.exe keeps getting blocked by ewido. ~every 15 minutes.
File: ykoiwq.exe
path: c:\windows\system32
Infection Downloader.Qoologic.aw
When i get this I hit "ok" and let ewido Block & Clean
hi
this is very odd, a safe mode scan with updated ewido should be enough to clean this infection
try it again, then post the scan results and a fresh hjt log
Re ran the current version of ewido in safemode
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:16:57 PM, 3/4/2006
+ Report-Checksum: AE736C24
+ Scan result:
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Error during cleaning
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ehg-communityconnect.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\system32\kcbsfvf.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\system32\qvyap.dat -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\system32\ykoiwq.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup
::Report End
Logfile of v1.99.1
Scan saved at 1:20:23 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
hi
that looks good, can you post me a startuplist from hiajckthis:
open hjt, click open misc tools section
scroll until you see "generate startuplist log"
put checkmarks to both boxes , than click the "generate startuplist log"-button
save the log and post its contents here
StartupList report, 3/5/2006, 10:45:24 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Taylor Newcomb\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
sms_msn = C:\WINDOWS\system32\sms_msn.exe
sms_msn40 = C:\WINDOWS\system32\sms_msn40.exe
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
2524408 = C:\PROGRA~1\2524408\2524408.exe
Cenygvy = C:\WINDOWS\system32\n?pdb.exe
Lerm = "C:\Program Files\saar\elat.exe" -vt tzt
irssyncd = C:\WINDOWS\system32\irssyncd.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: *Registry key not found*
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=48835
[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
[Housecall ActiveX 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
[Groove Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\GrooveAX.dll
CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.2812731481
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.3.1/jinstall-1_3_1_04-windows-i586.cab
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Accton EN1207D/2242A Adapter Driver: System32\DRIVERS\ACC07D.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido anti-malware\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido anti-malware\ewidoguard.exe (autostart)
NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver: system32\DRIVERS\FA312nd5.sys (manual start)
Netgear FA311/312 NDIS 5.0 Miniport Driver: system32\DRIVERS\FA31xND5.SYS (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
IIS Admin: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
FTP Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Peer Networking Group Authentication: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Peer Networking Identity Manager: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Peer Networking: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Peer Name Resolution Protocol: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Microsoft IntelliPoint Filter Driver: system32\DRIVERS\point32.sys (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver: System32\DRIVERS\SMC1211.SYS (manual start)
Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{8BFD85C8-8C48-42D5-AE05-990D2CA37821} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Wide Web Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IBM PC Camera: System32\DRIVERS\C-itnt.sys (manual start)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 36,008 bytes
Report generated in 0.751 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
hi
have you disabled some startup entries with msconfig or similar tool?
please run msconfig again, re-enable everything
then post a new hijackthis log
Yes I've used MSCONFIG to remove items from my computer. I followed your instructions and ran MSCONFIG and enabled everything........ewido and my MS Spyware went nuts after a rebot....here's my logs...........
Spyware Scan Details
Start Date: 3/5/2006 8:38:08 PM
End Date: 3/5/2006 8:45:34 PM
Total Time: 7 mins 26 secs
Detected Threats
ShopAtHome Spyware more information...
Details: ShopAtHome is a browser redirector that monitors your browsing behavior and online purchases.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SAHAgent
zSearch Adware more information...
Details: zSearch is an Internet Explorer Toolbar that tracks your surfing and searching habits.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run zSearch
Twain Tech Adware more information...
Details: Twain Tech is an adware based Internet Explorer browser helper object that displays targeted advertisements based on your browsing patterns.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wast
180Solutions.SearchAssistant Adware more information...
Details: 180Solutions.SearchAssistant monitors your current Web browsing activity and displays pop-up advertisements related to the Internet sites you are viewing.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msbb
eXact.BullseyeNetwork Adware more information...
Details: eXact.BullseyeNetwork displays pop-up advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BullsEye Network
eBates.WebSearch Adware more information...
Details: eBates.WebSearch is a shopping tool that opens pop-up windows and modifies Internet Explorers home search pages.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run websearch
TopRebates.WebRebates Adware more information...
Details: TopRebates is a browser toolbar that can display pop-up advertisements and monitor your Web browsing activities.
Status: Quarantined
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run webrebates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WebRebates0
Detected Spyware Cookies
No spyware cookies were found during this scan.
Logfile of HijackThis v1.99.1
Scan saved at 9:12:12 PM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\WinXPLoad.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sms_msn40.exe
C:\WINDOWS\system32\ngpw40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\saar\elat.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Taylor Newcomb\My Documents\?ystem32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R3 - URLSearchHook: (no name) - {425F3155-FBB7-F111-90DB-858AD1D7FAEC} - C:\WINDOWS\system32\dvyapuex.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {493C4054-DBE5-8A41-C87F-AF98B061F1EC} - C:\WINDOWS\system32\ezjht.dll (file missing)
O2 - BHO: (no name) - {425F3155-FBB7-F111-90DB-858AD1D7FAEC} - C:\WINDOWS\system32\dvyapuex.dll (file missing)
O2 - BHO: (no name) - {493C4054-DBE5-8A41-C87F-AF98B061F1EC} - C:\WINDOWS\system32\ezjht.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{04-46-63-32-ZN}] c:\windows\system32\dwdsregt.exe DO0605
O4 - HKLM\..\Run: [zgwnuk] C:\WINDOWS\mmftw.exe
O4 - HKLM\..\Run: [ygqthp] C:\WINDOWS\kbqao.exe
O4 - HKLM\..\Run: [WinXPLoad] Rundll32 LoadDll,LoadExe WinXPLoad.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykoiwq.exe reg_run
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [w39X33Q] faxsam.exe
O4 - HKLM\..\Run: [uxaiqlp] C:\WINDOWS\gymvzxkx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [szix] C:\WINDOWS\axfbd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Spyware remover] C:\WINDOWS\Remove_spyware.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [rxamfh] C:\WINDOWS\qojvt.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\bridge.dll",Load
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [r2h] C:\documents and settings\taylor newcomb\local settings\temp\r2h.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nurmtdr] C:\WINDOWS\bdecdod.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [iuzuhvl] C:\WINDOWS\iuzuhvl.exe
O4 - HKLM\..\Run: [hipivit] C:\WINDOWS\hipivit.exe
O4 - HKLM\..\Run: [fzrerexfl] C:\WINDOWS\lutmny.exe
O4 - HKLM\..\Run: [fcyebre] C:\WINDOWS\ntlu.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qtdevrap.exe DO0605
O4 - HKLM\..\Run: [awixvu] C:\WINDOWS\icyqwllwk.exe
O4 - HKLM\..\Run: [AutoLoaderwwqr1NNQPQLO] "C:\WINDOWS\System32\faxsam.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [5D5D61656568696B] 3232363A3A3D3E.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Pwcm74j.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Xdmmre] C:\WINDOWS\system32\j?vaw.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [Lerm] "C:\Program Files\saar\elat.exe" -vt yazb
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - HKCU\..\Run: [Ybz] C:\Documents and Settings\Taylor Newcomb\My Documents\?ystem32\spoolsv.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qtdevrap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rqdsregs.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O20 - AppInit_DLLs: Runner.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
StartupList report, 3/5/2006, 9:14:28 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\WinXPLoad.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sms_msn40.exe
C:\WINDOWS\system32\ngpw40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\saar\elat.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Taylor Newcomb\My Documents\?ystem32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Taylor Newcomb\Start Menu\Programs\Startup]
Zeno.lnk = C:\WINDOWS\system32\qtdevrap.exe
Z_Start.lnk = C:\WINDOWS\system32\rqdsregs.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task = C:\WINDOWS\System32\qttask.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
{04-46-63-32-ZN} = c:\windows\system32\dwdsregt.exe DO0605
zgwnuk = C:\WINDOWS\mmftw.exe
ygqthp = C:\WINDOWS\kbqao.exe
WinXPLoad = Rundll32 LoadDll,LoadExe WinXPLoad.exe
winsync = C:\WINDOWS\system32\ykoiwq.exe reg_run
wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
w39X33Q = faxsam.exe
uxaiqlp = C:\WINDOWS\gymvzxkx.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
szix = C:\WINDOWS\axfbd.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Spyware remover = C:\WINDOWS\Remove_spyware.exe
sms_msn40 = C:\WINDOWS\system32\sms_msn40.exe
sms_msn = C:\WINDOWS\system32\sms_msn.exe
rxamfh = C:\WINDOWS\qojvt.exe
RunDLL = rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\bridge.dll",Load
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
r2h = C:\documents and settings\taylor newcomb\local settings\temp\r2h.exe
nwiz = nwiz.exe /install
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nurmtdr = C:\WINDOWS\bdecdod.exe
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
iuzuhvl = C:\WINDOWS\iuzuhvl.exe
hipivit = C:\WINDOWS\hipivit.exe
fzrerexfl = C:\WINDOWS\lutmny.exe
fcyebre = C:\WINDOWS\ntlu.exe
Dsi = C:\WINDOWS\System32\dp-k13w13.exe
CPQEASYACC = C:\Compaq\eakdrv\STARTDRV.exe
BrowserUpdateSched = C:\WINDOWS\system32\qtdevrap.exe DO0605
awixvu = C:\WINDOWS\icyqwllwk.exe
AutoLoaderwwqr1NNQPQLO = "C:\WINDOWS\System32\faxsam.exe" /PC="AM.WILD" /HideUninstall
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
5D5D61656568696B = 3232363A3A3D3E.exe
4S2NSLA3QS#366 = C:\WINDOWS\System32\Pwcm74j.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
MicrosoftAntiSpywareCleaner = C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Xdmmre = C:\WINDOWS\system32\j?vaw.exe
Weather = C:\Program Files\AWS\WeatherBug\Weather.EXE 1
Lerm = "C:\Program Files\saar\elat.exe" -vt yazb
EQArticle = "C:\Program Files\EQArticle\EQArticle.exe"
Communicator = C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
Ybz = C:\Documents and Settings\Taylor Newcomb\My Documents\?ystem32\spoolsv.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
sms_msn = C:\WINDOWS\system32\sms_msn.exe
sms_msn40 = C:\WINDOWS\system32\sms_msn40.exe
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
2524408 = C:\PROGRA~1\2524408\2524408.exe
Cenygvy = C:\WINDOWS\system32\n?pdb.exe
Lerm = "C:\Program Files\saar\elat.exe" -vt tzt
irssyncd = C:\WINDOWS\system32\irssyncd.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=Runner.dll
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: *Registry key not found*
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\system32\dvyapuex.dll (file missing) - {425F3155-FBB7-F111-90DB-858AD1D7FAEC}
(no name) - C:\WINDOWS\system32\ezjht.dll (file missing) - {493C4054-DBE5-8A41-C87F-AF98B061F1EC}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}"
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=48835
[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
[Housecall ActiveX 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
[Groove Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\GrooveAX.dll
CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.2812731481
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.3.1/jinstall-1_3_1_04-windows-i586.cab
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Accton EN1207D/2242A Adapter Driver: System32\DRIVERS\ACC07D.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido anti-malware\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido anti-malware\ewidoguard.exe (autostart)
NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver: system32\DRIVERS\FA312nd5.sys (manual start)
Netgear FA311/312 NDIS 5.0 Miniport Driver: system32\DRIVERS\FA31xND5.SYS (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
IIS Admin: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
FTP Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Peer Networking Group Authentication: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Peer Networking Identity Manager: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Peer Networking: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Peer Name Resolution Protocol: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Microsoft IntelliPoint Filter Driver: system32\DRIVERS\point32.sys (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver: System32\DRIVERS\SMC1211.SYS (manual start)
Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{8BFD85C8-8C48-42D5-AE05-990D2CA37821} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Wide Web Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IBM PC Camera: System32\DRIVERS\C-itnt.sys (manual start)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\program files\fcadvice\__delete_on_reboot__FCAdvice.dll||c:\windows\system32\__delete_on_reboot__dvyapuex.dll||c:\windows\system32\__delete_on_reboot__ezjht.dll|||_
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 38,863 bytes
Report generated in 0.381 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
hi
theres a load of malware in it :(
open hijackthis
click do a system scan only
checkmark these items:
R3 - URLSearchHook: (no name) - {425F3155-FBB7-F111-90DB-858AD1D7FAEC} - C:\WINDOWS\system32\dvyapuex.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {493C4054-DBE5-8A41-C87F-AF98B061F1EC} - C:\WINDOWS\system32\ezjht.dll (file missing)
O2 - BHO: (no name) - {425F3155-FBB7-F111-90DB-858AD1D7FAEC} - C:\WINDOWS\system32\dvyapuex.dll (file missing)
O2 - BHO: (no name) - {493C4054-DBE5-8A41-C87F-AF98B061F1EC} - C:\WINDOWS\system32\ezjht.dll (file missing)
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O4 - HKLM\..\Run: [{04-46-63-32-ZN}] c:\windows\system32\dwdsregt.exe DO0605
O4 - HKLM\..\Run: [zgwnuk] C:\WINDOWS\mmftw.exe
O4 - HKLM\..\Run: [ygqthp] C:\WINDOWS\kbqao.exe
O4 - HKLM\..\Run: [WinXPLoad] Rundll32 LoadDll,LoadExe WinXPLoad.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykoiwq.exe reg_run
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [w39X33Q] faxsam.exe
O4 - HKLM\..\Run: [uxaiqlp] C:\WINDOWS\gymvzxkx.exe
O4 - HKLM\..\Run: [szix] C:\WINDOWS\axfbd.exe
O4 - HKLM\..\Run: [Spyware remover] C:\WINDOWS\Remove_spyware.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [rxamfh] C:\WINDOWS\qojvt.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\bridge.dll",Load
O4 - HKLM\..\Run: [r2h] C:\documents and settings\taylor newcomb\local settings\temp\r2h.exe
O4 - HKLM\..\Run: [nurmtdr] C:\WINDOWS\bdecdod.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [iuzuhvl] C:\WINDOWS\iuzuhvl.exe
O4 - HKLM\..\Run: [hipivit] C:\WINDOWS\hipivit.exe
O4 - HKLM\..\Run: [fzrerexfl] C:\WINDOWS\lutmny.exe
O4 - HKLM\..\Run: [fcyebre] C:\WINDOWS\ntlu.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\qtdevrap.exe DO0605
O4 - HKLM\..\Run: [awixvu] C:\WINDOWS\icyqwllwk.exe
O4 - HKLM\..\Run: [AutoLoaderwwqr1NNQPQLO] "C:\WINDOWS\System32\faxsam.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [5D5D61656568696B] 3232363A3A3D3E.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Pwcm74j.exe
O4 - HKCU\..\Run: [Xdmmre] C:\WINDOWS\system32\j?vaw.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [Lerm] "C:\Program Files\saar\elat.exe" -vt yazb
O4 - HKCU\..\Run: [Ybz] C:\Documents and Settings\Taylor Newcomb\My Documents\?ystem32\spoolsv.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qtdevrap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rqdsregs.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O20 - AppInit_DLLs: Runner.dll
then close all browsers and explorer windows
and click fix checked
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click [b]update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
then launch ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.
reboot back to noraml mode
post the ewido report and a fresh hjt log
Logfile of HijackThis v1.99.1
Scan saved at 6:46:11 AM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 6:41:52 AM, 3/8/2006
+ Report-Checksum: 6ED59CC4
+ Scan result:
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Error during cleaning
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
::Report End
hi
opne hiajckthis.
click do a system scan only
checkmark/fix these lines
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)
reboot
post a final hjt log
Logfile of HijackThis v1.99.1
Scan saved at 9:00:13 PM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - AppInit_DLLs: cmstart.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
hi
there is still one odd item:
c:\windows\system32\cmstart.dll
can you upload that file to
http://www.thespykiller.co.uk/forum/index.php?board=1.0
go to the site, press new topic
put cmstart.dll for illukka as the title
include to your message a link to this thread so we know where its from
then browse to the file, or copy paste the files path into the box to attach and press post
see this too istructions for uploading files (http://www.thespykiller.co.uk/forum/index.php?topic=5.0)
I'll do as you requested but the pops are taking over my computer again. Before I enabled all the items in start up It the pops ups were gone.....
thanks..............lewien
yep there seems to be a new infection present, the file i asked you to upload
it looks like a new item, so could it be possible to get a sample of the file for closer examination ?
Sorry I've been gone awwhile. My NIC came up with a bang. I thought it was a HW issue. I bought a new NIC...didnt help. I had to use system restore to recover. I went bak to the 13. So we may be back tracking here. I reran MS scan and ewido and hijack. Here's the scan:
Logfile of HijackThis v1.99.1
Scan saved at 6:03:39 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - AppInit_DLLs: cmstart.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 5:59:51 PM, 3/15/2006
+ Report-Checksum: 7E9EF177
+ Scan result:
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Error during cleaning
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\echo.exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\i2.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temporary Internet Files\Content.IE5\Q7O3U1W3\echo[1].exe -> Dropper.Small.qn : Cleaned with backup
C:\WINDOWS\lzjnptsq.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\sms112x.exe -> Downloader.VB.tw : Cleaned with backup
C:\WINDOWS\sys0308775630-18.exe -> Downloader.VB.tw : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\system32\rqdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\thwrktz.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\thwrktzA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\ydboluvt.dll -> Adware.BookedSpace : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup
::Report End
becasue I ran into the NIC problem.
------------------------------------------------------------------
illukka
Expert
Join Date: Nov 2005
Location: The Pits Of Hell
Posts: 535
--------------------------------------------------------------------------------
hi
there is still one odd item:
c:\windows\system32\cmstart.dll
can you upload that file to
http://www.thespykiller.co.uk/forum/index.php?board=1.0
go to the site, press new topic
put cmstart.dll for illukka as the title
include to your message a link to this thread so we know where its from
then browse to the file, or copy paste the files path into the box to attach and press post
see this too istructions for uploading files
__________________
INFECTED? report it << click here
I Am A Proud Member of ASAP Since 2004
To Ride, Shoot Straight And Speak TheTruth
hi
that file is still present in your log c:\windows\system32\cmstart.dll
could it be possible to get a sample of it
It's a 60K file. The forum's limit is 60K. Can I email it somewhere?
lewien
can you upload that file to
http://www.thespykiller.co.uk/forum/index.php?board=1.0
like i posted above
done.....sorry i missed this the first time.....
hi
thank you for the file. it appears to have been a new undetected variant of a known nasty trojan
is this file present on your computer:
EQAdvice.exe ?
i would like you to perform an online virus scan
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
also post a fresh hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 9:35:25 PM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VGF5bG9yIE5ld2NvbWI\command.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\ms0675630-18087.exe
C:\windows\mousepad3.exe
C:\WINDOWS\CheckS02.exe
C:\windows\system32\rqdsregs.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\iabhi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,suhlsct.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [ms0675630-18087] C:\WINDOWS\ms0675630-18087.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname3.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad3.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard3.exe
O4 - HKLM\..\Run: [{04-46-63-32-ZN}] C:\windows\system32\rqdsregs.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinrsag.exe CORN001
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinrsag.exe
O4 - Startup: Z_Start.lnk = C:\ZICORN001.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: repairs303169542.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\hrju0519e.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, March 19, 2006 9:34:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/03/2006
Kaspersky Anti-Virus database records: 182916
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 115952
Number of viruses found: 105
Number of infected objects: 397
Number of suspicious objects: 4
Duration of the scan process: 03:29:26
Infected Object Name / Virus Name / Last Action
C:\comscore.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ConsumerAlertSystem2.zip/dist001.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ConsumerAlertSystem2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ConsumerAlertSystem7.zip/cas2stub.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ConsumerAlertSystem7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-57ab4a91.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c2b4449-570cae81.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3197ec81-255f0401.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Taylor Newcomb\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv640.jar-2b09cfd1-1f1d0043.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\1.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\bs5-ventee.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\bs5-ventee.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\CampusIMFeb.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\CampusIMFeb.exe InstallCreator: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\CampusIMFeb.exe UPX: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\cmdinst.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\cmdinst.exe Inno: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\contextualapp.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.g skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\contextualapp.exe/data0004 Infected: not-a-virus:AdWare.Win32.CASClient.f skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\contextualapp.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\f103458.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\i5.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\M1_SudokuInstaller.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\M1_SudokuInstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\mc-110-12-0000122.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\mc-110-12-0000122.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\MONEY1.exe Infected: Trojan-Downloader.Win32.Adload.t skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\optimize.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Setup93.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Setup93.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Setup93.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Setup93.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Setup93.exe NSIS: infected - 4 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Tagasuarus.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Tagasuarus.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Tagasuarus.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Tagasuarus.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Tagasuarus.exe NSIS: infected - 4 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Temporary Internet Files\Content.IE5\3VAGWEYD\drsmartload[1].exe Infected: Trojan-Downloader.Win32.VB.yu skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Temporary Internet Files\Content.IE5\3VAGWEYD\rcverlib[1].exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Temporary Internet Files\Content.IE5\VL97FJQI\bridge-c18[1].cab/MediaGatewayX.dll Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Temporary Internet Files\Content.IE5\VL97FJQI\bridge-c18[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Temporary Internet Files\Content.IE5\Z98J2B19\MediaGateway[1].exe Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\tp7543.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\transpd.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\transpd.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\win.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\win.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temporary Internet Files\Content.IE5\OPQ3GT6V\AppWrap[1].exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\Documents and Settings\Taylor Newcomb\My Documents\ѕystem32\spoolsv.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ec skipped
C:\DR140306.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\DR140306.exe NSIS: infected - 1 skipped
C:\drsmartload1.exe Infected: Trojan-Downloader.Win32.VB.yu skipped
C:\keyboard1.exe Infected: Trojan-Downloader.Win32.VB.ys skipped
C:\keyboard3.exe Infected: Trojan-Downloader.Win32.VB.yv skipped
C:\krw1dn.exe Infected: Trojan-Downloader.Win32.Agent.agy skipped
C:\mousepad3.exe Infected: Trojan-Clicker.Win32.VB.lv skipped
C:\mti-hits.exe Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\newname3.exe Infected: Trojan-Downloader.Win32.VB.ri skipped
C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe NSIS: infected - 1 skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C47F2CC-FD68-44E7-B542-ED6FC2\09A9EEEC-8AC3-4703-BB02-A37FE2 Infected: not-a-virus:AdWare.Win32.Softomate.j skipped
C:\Program Files\Network Monitor\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Program Files\NewDotNet\newdotnet7_22.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Program Files\saar\elat.exe Infected: Trojan-Downloader.Win32.PurityScan.br skipped
C:\Program Files\webHancer\Programs\webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\Program Files\webHancer\Programs\whagent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Program Files\webHancer\Programs\whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\Program Files\webHancer\Programs\whsurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Dc26.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.j skipped
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Dc26.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.j skipped
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Dc26.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Dc28.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.j skipped
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Dc28.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.j skipped
C:\RECYCLER\S-1-5-21-166745521-4217759621-2681017343-1004\Dc28.exe NSIS: infected - 2 skipped
C:\stub_113_4_0_4_0.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078814.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078815.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078816.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078817.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078827.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078828.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078829.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP401\A0078830.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP402\A0078908.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP405\A0078914.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP405\A0078915.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP405\A0078934.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP405\A0078935.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP405\A0078936.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP406\A0079161.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP406\A0079162.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP406\A0079163.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP406\A0079164.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP408\A0080161.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP408\A0080162.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP408\A0080163.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP408\A0080164.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP412\A0080307.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP412\A0080308.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP412\A0080309.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080402.exe Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080403.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080410.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080410.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080412.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080414.ocx Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.c skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080419.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.j skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP416\A0080420.dll Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080437.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080439.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080440.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080441.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080452.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080453.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080454.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080455.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP417\A0080457.dll Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0080476.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0080477.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0080478.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0080479.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0081472.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0081473.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP418\A0081474.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP420\A0081523.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP420\A0081524.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP420\A0081526.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0081558.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0081559.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0082521.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0082523.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0082524.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0083522.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0083523.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0083524.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP421\A0083525.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP422\A0083548.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dy skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP422\A0084523.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP422\A0084524.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP422\A0084525.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP422\A0084526.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP432\A0084614.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP432\A0084617.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP432\A0084618.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP432\A0084619.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP432\A0084624.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP433\A0084687.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP433\A0084687.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP433\A0084698.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP434\A0084712.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP434\A0084714.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP434\A0084715.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP434\A0084716.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP434\A0084732.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085702.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085703.exe Infected: Trojan-Downloader.Win32.VB.hj skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085713.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085714.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085719.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085720.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085721.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP435\A0085728.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085744.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085745.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085746.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085750.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085751.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085795.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.l skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085795.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085797.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085805.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085823.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085830.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085831.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085836.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085837.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085838.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP436\A0085840.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP438\A0085869.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP439\A0085884.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP439\A0085885.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP440\A0086865.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP440\A0086867.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP440\A0086868.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP440\A0086869.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP444\A0086943.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP444\A0086945.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP444\A0086946.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP444\A0086947.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087013.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087014.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087015.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087187.exe/data.rar/kans.reg Infected: Trojan.WinREG.LowZones.f skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087187.exe/data.rar/kansup.reg Infected: Trojan.WinREG.LowZones.f skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087187.exe/data.rar/trufkz.html Infected: Trojan-Clicker.JS.Linker.g skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087187.exe/data.rar/x.bat Infected: Trojan.WinREG.LowZones.f skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087187.exe/data.rar Infected: Trojan.WinREG.LowZones.f skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087187.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087220.exe Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087349.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087353.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0087354.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0088346.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0088347.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0088348.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP445\A0088349.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP447\A0088563.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP447\A0088564.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP447\A0088565.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP447\A0088566.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089558.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089559.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089560.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089561.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089575.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089577.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089578.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089579.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089587.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089588.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP448\A0089589.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089663.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089666.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089670.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089671.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089672.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089677.exe Infected: Trojan-Downloader.Win32.Small.cdy skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089679.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089680.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089681.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089684.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089686.exe Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089688.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089689.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089690.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089691.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089692.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089693.exe Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089694.dll Infected: Trojan-Dropper.Win32.Small.gv skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089695.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089696.dll Infected: Trojan-Dropper.Win32.Small.abe skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089699.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089700.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.y skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089702.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.k skipped
d: not-a-virus:AdWare.Win32.ClientMan skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089704.dll Infected: not-a-virus:AdWare.Win32.Ipend skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089705.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089706.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.l skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089708.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089709.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089710.exe Infected: not-a-virus:AdWare.Win32.AdBlaster.d skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089715.exe Infected: Trojan-Downloader.Win32.Small.bmx skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089723.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089724.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089725.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089726.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089729.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP455\A0089773.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP455\A0089824.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP456\A0089826.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP457\A0089836.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP458\A0089961.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP460\A0089964.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP461\A0089965.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP462\A0089966.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP463\A0089967.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP463\A0089972.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP463\A0089973.exe Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP463\A0089974.dll Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP465\A0090089.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eb skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP465\A0091082.dll Infected: not-a-virus:AdWare.Win32.CASClient.g skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP465\A0091083.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP465\A0091084.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP466\A0091098.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091134.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091134.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091134.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091156.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091197.exe Infected: Trojan-Downloader.Win32.VB.ya skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091198.exe Infected: Trojan-Downloader.Win32.Agent.agy skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091199.exe Infected: Trojan-Clicker.Win32.VB.li skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP468\A0091201.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.y skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094244.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094245.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094246.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094247.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094248.exe Infected: Trojan.Win32.Runner.h skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094249.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094250.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094251.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094252.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP470\A0094253.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP471\A0094266.dll Infected: not-a-virus:AdWare.Win32.Softomate.j skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP474\A0094311.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094314.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094316.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094319.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094320.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094321.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094323.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094328.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094329.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094330.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP475\A0094331.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0095340.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0095341.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0095342.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0095343.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096330.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096334.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096347.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096351.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096356.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096360.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096463.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096482.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096486.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096487.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096488.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096489.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096494.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096495.exe Infected: Trojan-Clicker.Win32.VB.is skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\A0096498.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\snapshot\MFEX-2.DAT Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP476\snapshot\MFEX-4.DAT Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\ventfe1.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\ventfe1.exe NSIS: infected - 1 skipped
C:\WHCC2.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\WHCC2.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe RarSFX: infected - 5 skipped
C:\WINDOWS\CheckS02.exe Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\DH.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\DHU.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\DHU.exe NSIS: infected - 1 skipped
C:\WINDOWS\icont.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\WINDOWS\Installer.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\inst_adperform.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai skipped
C:\WINDOWS\keyboard3.exe Infected: Trojan-Downloader.Win32.VB.yv skipped
C:\WINDOWS\mousepad3.exe Infected: Trojan-Clicker.Win32.VB.lv skipped
C:\WINDOWS\ms0675630-18087.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\newname3.exe Infected: Trojan-Downloader.Win32.VB.ri skipped
C:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\pf78.exe NSIS: infected - 1 skipped
C:\WINDOWS\pf79.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\WINDOWS\sngpw40.exe Infected: not-a-virus:AdWare.Win32.AdBlaster.d skipped
C:\WINDOWS\SS1001.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\WINDOWS\SS1001.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\0B0B0F13131617.exe Infected: Trojan.Win32.VB.aft skipped
C:\WINDOWS\system32\0un37cqa.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\2.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\WINDOWS\system32\biU.exe0 Infected: Trojan-Dropper.Win32.Agent.og skipped
C:\WINDOWS\system32\dmonwv.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\WINDOWS\system32\exp.exe Infected: Trojan-Downloader.Win32.Small.abd skipped
C:\WINDOWS\system32\glkef.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\system32\irsinst.exe/data0006 Infected: Backdoor.Win32.HacDef.bo skipped
C:\WINDOWS\system32\irsinst.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\mscgdc.dll Infected: not-a-virus:AdWare.Win32.WebSearch.bb skipped
C:\WINDOWS\system32\ndtshell.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\system32\ngpw40.exe Infected: not-a-virus:AdWare.Win32.AdBlaster.d skipped
C:\WINDOWS\system32\qauoese.dll Infected: Trojan-Downloader.Win32.Qoologic.aw skipped
C:\WINDOWS\system32\rk.bin Infected: not-a-virus:AdWare.Win32.RK.f skipped
C:\WINDOWS\system32\rlls.dll Infected: not-a-virus:AdWare.Win32.RK.e skipped
C:\WINDOWS\system32\rlvknlg.exe Infected: not-a-virus:AdWare.Win32.RK.f skipped
C:\WINDOWS\system32\rqdsregs.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\WINDOWS\system32\sms_msn40.exe Infected: not-a-virus:AdWare.Win32.AdBlaster.d skipped
C:\WINDOWS\system32\w9seq.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\winspy.exe Infected: Trojan-Downloader.Win32.Small.ckq skipped
C:\WINDOWS\system32\wnygt.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\WINDOWS\Temp\bw2.com Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\WINDOWS\thwrktz.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\WINDOWS\tmp333.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\WINDOWS\tmp333.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e skipped
C:\WINDOWS\tmp333.exe NSIS: infected - 2 skipped
C:\WINDOWS\VGF5bG9yIE5ld2NvbWI\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\VGF5bG9yIE5ld2NvbWI\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\YOINSI.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\YOINSI.exe NSIS: infected - 1 skipped
C:\ZICORN001.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
F:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089717.dll Infected: Trojan-Downloader.Win32.Lemmy.u skipped
F:\System Volume Information\_restore{59D74737-066F-490E-88C0-28A483640129}\RP454\A0089718.dll Infected: Trojan-Downloader.Win32.Lemmy.u skipped
Scan process completed.
This was hard....pop ups were poppin in...windows defender was working over time trying to remove sidekick and cmdserv and others....I hope we can nail this.......my daughter wants me to buy a new computer...:)
thanks for the help!
lewien
ok lets start all over again
you already have ewido, so juat update it. otherwise proceed with instructions
hi
Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
http://metallica.geekstogo.com/BFUonlinescript.jpg
Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu
Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
next:
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
then launch ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.
reboot back to normal mode
post the ewido report and a fresh hjt log
NOTE the ewido log will be huge, edit out all detected cookies and files that were located at C:\System Volume Information\_restoreto make it shorter
I tried to go through the procees you asked, too many popups! my comuter hung. So I went to save mode. I still get popups but they seem to contollable. I followed the procedure.
In safe mode:
ran BFU
Updated Ewido
ran scan with Ewido
but.....Ewido did not let me save the file. I tried it again....same result.
also I get these errors on boot:
RUNDLL
Error loading C:\Progra~\1\NEWDOT~2\NEWDOT~2.DLL
.NET Framework Initialization Error
C:\windows.NEt\Framwork\v1.14322.dll could not be loaded
Here's my hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 7:32:26 AM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\VGF5bG9yIE5ld2NvbWI\command.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\ms0675630-18087.exe
C:\windows\mousepad4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\rqdsregs.exe
C:\WINDOWS\system32\0B0B0F13131617.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\WINDOWS\system32\qwinrsag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winspy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\iabhi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,suhlsct.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [ms0675630-18087] C:\WINDOWS\ms0675630-18087.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~2\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [{04-46-63-32-ZN}] C:\windows\system32\rqdsregs.exe CORN001
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinrsag.exe CORN001
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [5D5D61656568696B] 0B0B0F13131617.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunOnce: [Del6710] cmd /c del C:\DOCUME~1\TAYLOR~1\LOCALS~1\Temp\BundleInstall.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinrsag.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: repairs303169542.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\k8no0i53e8.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGF5bG9yIE5ld2NvbWI\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I just realized I was in Safe Mode with Networking so I could update Ewido. I just restarted in "SAFE MODE" only and kicked off Ewido.
If all goes well I'll post the results tonight.
lewien
hi
good luck and keep us posted on how it goes :bigthumb:
I restarted my pc and found the same bangs on the NIC I saw before and fixed by using system restore. I also has the same boot errors I mentioned before.
So............I used system restore to recover. I went back to 3/1. Then I updated Ewido, then rebooted into safe mode. Then re-ran Ewido scan.
Here's the log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 7:36:19 PM, 3/22/2006
+ Report-Checksum: 1F040E09
+ Scan result:
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Error during cleaning
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Error during cleaning
C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temp\Temporary Internet Files\Content.IE5\67HOOFJ3\drsmartload46a[1].exe -> Downloader.Adload.ab : Cleaned with backup
C:\Documents and Settings\Taylor Newcomb\Local Settings\Temporary Internet Files\Content.IE5\85YVWH6N\mousepad4[2].exe -> Hijacker.VB.lv : Cleaned with backup
C:\WINDOWS\system32\biU.exe0/bi.dll -> Adware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\biU.exe0/preInsBI.exe -> Adware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\biU.exe0/bi.dll -> Adware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\biU.exe0/preInsBI.exe -> Adware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kcbsfvf.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\system32\nоpdb.exe -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\repairs303169542(2)(2).dll -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\wnygt.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\ykoiwq.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\Temp\Cookies\taylor newcomb@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2L8BATA5\MediaGateway[1].exe -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\D4ONLLOP\bridge-c18[1].cab/MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\D4ONLLOP\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup
C:\WINDOWS\Temp\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 7:43:55 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094677901601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139682212216
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
In the past several minutes as I wrote this no POP UPs appeared!
knock on wood!
lewien
:bigthumb: :bigthumb:
hi
sounds great :)
you did a good job there :)
read the following carefully, especially the part of antiviruses and firewalls
ewido, while its a great program is not an antivirus. you need to have one
below you'll find links to some free av resources
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)
or
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
here are some additional utilities that will enhance your safety
IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
illukka,
Thank you very much for helping me through this. I left my pc on all night and came in this morning and no POPUP's occurred.
I did remember what set me back in the middle of all this. Approx 2 weeks back I went to MSCONFIG and turned on all the items in the startup tab. I just ran MSCONFIG again and I still see all these "un checked" items. Should I clean them up?
lewien
hi
yes of course, some spyware scans like adaware and spybot should also be run to get rid of the extra registry entries
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help, thank you illukka.