No system restore.Antivirus pop ups & desktop tray pop ups

**wisenheimer** · 2006-08-12, 03:45

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\34]
"Source"="http://newyork.yankees.mlb.com/images/players/action/ph_114739.jpg"
"SubscribedURL"="http://newyork.yankees.mlb.com/images/players/action/ph_114739.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,ff,02,00,00,55,01,00,00,b8,00,00,00,7e,00,00,00,2c,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,94,02,00,00,a1,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,1c,06,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,28,c0,16,05

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\35]
"Source"="http://newyork.yankees.mlb.com/images/players/action/ph_121250.jpg"
"SubscribedURL"="http://newyork.yankees.mlb.com/images/players/action/ph_121250.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,dd,02,00,00,7b,00,00,00,bf,00,00,00,87,00,00,00,2e,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,12,02,00,00,23,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,12,02,00,00,23,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\36]
"Source"="http://newyork.yankees.mlb.com/images/players/action/ph_122111.jpg"
"SubscribedURL"="http://newyork.yankees.mlb.com/images/players/action/ph_122111.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,5a,02,00,00,50,00,00,00,bf,00,00,00,87,00,00,00,30,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,12,02,00,00,19,01,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,52,06,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,18,f6,db,04

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\37]
"Source"="http://newyork.yankees.mlb.com/images/players/action/ph_116539.jpg"
"SubscribedURL"="http://newyork.yankees.mlb.com/images/players/action/ph_116539.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,ce,01,00,00,38,00,00,00,bf,00,00,00,87,00,00,00,32,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,12,01,00,00,23,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,52,06,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,90,93,92,05

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\38]
"Source"="http://minnesota.twins.mlb.com/images/players/action/ph_116338.jpg"
"SubscribedURL"="http://minnesota.twins.mlb.com/images/players/action/ph_116338.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,2c,01,00,00,34,00,00,00,bf,00,00,00,87,00,00,00,34,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ee,00,00,00,47,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,8e,08,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,08,53,b7,06

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\39]
"Source"="http://boston.redsox.mlb.com/images/players/action/ph_120903.jpg"
"SubscribedURL"="http://boston.redsox.mlb.com/images/players/action/ph_120903.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,67,00,00,00,21,00,00,00,b7,00,00,00,87,00,00,00,36,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ee,01,00,00,47,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,6e,08,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,00,a2,b2,06

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
"Source"="http://chicago.cubs.mlb.com/images/players/action/ph_122544.jpg"
"SubscribedURL"="http://chicago.cubs.mlb.com/images/players/action/ph_122544.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,53,00,00,00,b3,01,00,00,bf,00,00,00,87,00,00,00,f0,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,03,00,00,2b,01,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,a0,09,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,e8,87,d8,04

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\40]
"Source"="http://www.nba.com/media/act_vince_carter.jpg"
"SubscribedURL"="http://www.nba.com/media/act_vince_carter.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,05,01,00,00,27,01,00,00,9a,00,00,00,f9,00,00,00,38,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,a6,01,00,00,8f,00,00,00,8c,00,00,00,dc,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,e1,06,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,40,84,1b,08

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\41]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,3a,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
"Source"="http://newyork.yankees.mlb.com/images/players/action/ph_121347.jpg"
"SubscribedURL"="http://newyork.yankees.mlb.com/images/players/action/ph_121347.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,61,02,00,00,85,00,00,00,bf,00,00,00,87,00,00,00,f2,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,dc,02,00,00,59,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,88,05,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,98,8f,b3,06

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
"Source"="http://chicago.whitesox.mlb.com/images/players/action/ph_123245.jpg"
"SubscribedURL"="http://chicago.whitesox.mlb.com/images/players/action/ph_123245.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,80,02,00,00,87,00,00,00,bf,00,00,00,87,00,00,00,f4,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ee,00,00,00,3d,01,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,8e,08,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,98,8f,b3,06

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
"Source"="http://tampabay.devilrays.mlb.com/images/players/action/ph_408307.jpg"
"SubscribedURL"="http://tampabay.devilrays.mlb.com/images/players/action/ph_408307.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,c3,01,00,00,85,00,00,00,bf,00,00,00,87,00,00,00,f6,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,02,00,00,35,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,63,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,a0,87,a7,05

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
"Source"="http://stlouis.cardinals.mlb.com/images/players/action/ph_405395.jpg"
"SubscribedURL"="http://stlouis.cardinals.mlb.com/images/players/action/ph_405395.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,61,02,00,00,b3,01,00,00,bf,00,00,00,87,00,00,00,f8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,03,00,00,35,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,9d,08,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,40,68,23,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
"Source"="http://florida.marlins.mlb.com/images/players/action/ph_334393.jpg"
"SubscribedURL"="http://florida.marlins.mlb.com/images/players/action/ph_334393.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,89,02,00,00,d4,01,00,00,bf,00,00,00,87,00,00,00,fa,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ee,02,00,00,47,00,00,00,bf,00,00,00,87,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,6e,08,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,18,d7,e7,04

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"="NSIS Media Extension"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alexis^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\Alexis\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\MyWebSearch\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Forget Me Not.lnk"
"backup"="C:\\WINDOWS\\pss\\Forget Me Not.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BRODER~1\\AGCREA~1\\AGRemind.exe "
"item"="Forget Me Not"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\GOOGLE~2\\11489~1.276\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:_Program Files_WordPerfe3a]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CorUpd"
"hkey"="HKCU"
"command"="C:\\Program Files\\WordPerfect Office 11\\Programs\\CorUpd.exe /Watch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:_PROGRA~1_WORDPE~1_Progr28]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CorUpd"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\WORDPE~1\\Programs\\CorUpd.exe /Watch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DesktopWeather"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPClientMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GPClientMonitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\GalleryPlayer\\Player\\GPClientMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPDownloadManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GPDownloadManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\GalleryPlayer\\Player\\GPDownloadManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrivacyScanner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pscan"
"hkey"="HKCU"
"command"="C:\\Program Files\\Privacy Champion\\pscan.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)
DisableTaskMgr REG_DWORD 0 (0x0)
NoDispAppearancePage REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispBackgroundPage REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ (HOME-Matt).job

Completion time: Fri 08/11/2006 21:34:36.89
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-11.211509.txt

**LonnyRJones** · 2006-08-12, 07:28

Hi
What version of SpyBot is it you have ?
Do you have any p2p programs, mirc and is microsoft office installed ?
has there been any problems with it ?
How many drives does this pc have and is it networked ?
GEDZAC labs
http://www.sophos.com/security/analyses/w32cazdegb.html
Open a command prompt (start run type cmd press enter) type (include the quotes)
sc delete ".NET Connection Service"
press enter, type in
sc delete "GEDZAC LABS"
press enter, type in
sc delete "ICS"
press enter, type in
sc delete "WinToolsSvc"

press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cehwlom.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {15BF9F3F-2FDC-2551-868C-204043E1FC97} - (no file)
O2 - BHO: (no name) - {2592AF36-029E-1361-ABB8-636D76D9D1AE} - (no file)
O2 - BHO: (no name) - {268B99C9-6C33-23CF-5743-0C9B392FDDF4} - (no file)
O2 - BHO: (no name) - {29401FB2-7814-4074-9F48-BB20680D1861} - (no file)
O2 - BHO: (no name) - {39D5337C-C739-0DEA-8056-175508AE2812} - (no file)
O2 - BHO: (no name) - {3B8E302D-C261-59B7-D154-175508A02E49} - (no file)
O2 - BHO: (no name) - {4541A1B2-BBC4-4ED0-9269-46D9CADE209F} - (no file)
O2 - BHO: (no name) - {4DE1205B-3CF0-4A15-353F-2011F6A2C0D4} - (no file)
O2 - BHO: (no name) - {85745D40-B1F6-EE72-FE2D-BFC9DBC86F99} - (no file)
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\system32\vf1v62x.dll
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [73305db.exe] C:\WINDOWS\system32\73305db.exe
O4 - HKCU\..\Run: [73305db.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\73305db.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/228/installer.exe
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: cbxyxwx - cbxyxwx.dll (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g7167656.dll (file missing)
O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll (file missing)
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
====================================
Hit fix checked and close Hijackthis.
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Code:

REGEDIT4
;
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fallow the instructions here including the logs mentioned at the bottom
http://forums.spybot.info/showthread.php?t=4015

**wisenheimer** · 2006-08-12, 19:20

Thanks for helping. To answer your questions:

SpyBot 1.4
No P2P or Microsoft Office to my knowledge.
Not networked and I have 3.

-Local Disk (C

-DVD Drive (D

-CD-RW Drive (E

***-DVD Drive (F

-I just noticed this today when I opened 'My Computer'. If I click eject nothing happens where if I click eject on D: the DVD drive opens.

I could not delete ICS but I did everything else according to your steps.

**wisenheimer** · 2006-08-12, 19:20

SmitFraudFix v2.81

Scan done at 9:08:45.35, Sat 08/12/2006
Run from C:\Documents and Settings\Matt\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\drsmartload?.exe Deleted
C:\MTE3NDI6ODoxNg.exe Deleted
C:\uniq Deleted
C:\winstall.exe Deleted
C:\WINDOWS\drsmartload2.dat Deleted
C:\WINDOWS\keyboard1.dat Deleted
C:\WINDOWS\newname.dat Deleted
C:\WINDOWS\teller2.chk Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\Documents and Settings\Matt\Application Data\Install.dat Deleted
C:\Program Files\Safety Bar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

»»»»»»»»»»»»»»»»»»»»»»»» End

**wisenheimer** · 2006-08-12, 19:21

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:22:38 AM 8/12/2006

+ Scan result:

HKU\.DEFAULT\Software\VoiceIP -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\VoiceIP -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\VoiceIP -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RelevantKnowledge -> Adware.BroadCastPC : Cleaned with backup (quarantined).
C:\WINDOWS\U3RlcGhlbiBKLiBUb3dsZXI\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_ -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\U3RlcGhlbiBKLiBUb3dsZXI\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_ -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{052b12f7-86fa-4921-8482-26c42316b522} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Bar -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E422F49-1566-40D3-B43D-077EF739AC32} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__c_j_y_p_t_3_2_._d_l_l_ -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__e_l_t_m_g_r_._d_l_l_ -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cssetacl.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\d8j0li1m18.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kydhe220.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
[696] C:\WINDOWS\system32\wzpsrcwp.dll -> Adware.Look2Me : Error during cleaning.
[844] C:\WINDOWS\system32\wzpsrcwp.dll -> Adware.Look2Me : Error during cleaning.
HKLM\SOFTWARE\MaxSpeed -> Adware.Maxspeed : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bez6n4r21.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cvn0.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cymmh.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ghynf.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32bez6n4r21.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32ghynf.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Desktop\hijackthis\backups\backup-20060812-083906-147.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32XTXPf[ttToZ -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__n_9_n_y_b_._e_x_e_ -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__z_q_s_k_w_._e_x_e_ -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vf1v62x.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vp1i4.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wfxqhv.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xeymi.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\y3aqsoepa.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32n9nyb.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32y3aqs[ttToZ -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32y3aqsoepa.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Downloads\RollerCoasterTycoon2-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SplWbr.dll -> Adware.VirtualBouncer : Cleaned with backup (quarantined).
C:\WINDOWS\prelimhanse.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\drsmartload45a8b9abc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload46a8b9abc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload849a8b9abc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__w_0_0_5_c_e_1_5_._d_l_l_ -> Downloader.Agent.ahv : Cleaned with backup (quarantined).
C:\fym9bvo.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\uchcsi.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\WINDOWS\nem220.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\WINDOWS\pf79.exe -> Downloader.Dyfuca.ei : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Application Data\73305db.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\Documents and Settings\Jane\Local Settings\Application Data\73305db.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Local Settings\Application Data\73305db.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\WINDOWS\system32\73305db.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__b_a_j_p_b_j_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__h_h_j_p_r_r_x_._d_l_l_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__q_j_a_t_b_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gwxsm.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__w_0_0_5_b_7_d_e_._d_l_l_ -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\uespr.dll -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNgnew.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Online Services\horedota.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\__delete_on_reboot__a_c_3___0_0_0_3_._e_x_e_ -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\stub_113_4_0_4_0newer.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\WINDOWS\__delete_on_reboot__w_i_n_3_2_0_9_2_5_-_1_2_6_3_5_2_1_8_._e_x_e_ -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\visfx500new.exe -> Dropper.Agent.aie : Cleaned with backup (quarantined).
C:\numbsoftnew.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\in10b6s.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} -> Hijacker.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINDOWS\__delete_on_reboot__v_1_2_0_1_._e_x_e_ -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\html1.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\html2.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\WINDOWS\osflqvjA.exe -> Hijacker.VB.ij : Cleaned with backup (quarantined).
C:\dfndrff_9.exe -> Hijacker.VB.or : Cleaned with backup (quarantined).
C:\__delete_on_reboot__a_b_e_b_._e_x_e_ -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\Program Files\Network Monitor\__delete_on_reboot__n_e_t_m_o_n_._e_x_e_ -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\Documents and Settings\Jane\Cookies\jane@ads.180solutions[1].txt -> TrackingCookie.180solutions : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@config.180solutions[1].txt -> TrackingCookie.180solutions : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@buildabear.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@cybersoftwaresolutions.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@partygaming.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ad-logics[1].txt -> TrackingCookie.Ad-logics : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@adrevolver[4].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ads18.bpath[2].txt -> TrackingCookie.Bpath : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@casinopays[2].txt -> TrackingCookie.Casinopays : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@crbanner.casinopays[2].txt -> TrackingCookie.Casinopays : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@www.casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@centrport[2].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@clickagents[2].txt -> TrackingCookie.Clickagents : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@banner.clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.

**wisenheimer** · 2006-08-12, 19:22

C:\Documents and Settings\Jane\Cookies\jane@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1odpiapamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@e-2dj6wgk4gmdpsap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@e-2dj6wjlownczedo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@e-2dj6wjnyckcpoco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkocpcpidqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyulajiboqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmycmazakoaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygkdpahoq2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@goldenpalace[2].txt -> TrackingCookie.Goldenpalace : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@banner.grandonline[2].txt -> TrackingCookie.Grandonline : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@grandonline[2].txt -> TrackingCookie.Grandonline : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@www.grandonline[1].txt -> TrackingCookie.Grandonline : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-adidas.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-adidasus.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-leavittmanagement.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-lowermybills.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-netquote.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-powwebinc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-proflowers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-reebok.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ehg-sportingbet.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@counter2.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@incredifind[2].txt -> TrackingCookie.Incredifind : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@www.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@web4.realtracker[2].txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@banner.sunpalacecasino[2].txt -> TrackingCookie.Sunpalacecasino : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@sunpalacecasino[1].txt -> TrackingCookie.Sunpalacecasino : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@ac2.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@www.vegasred[1].txt -> TrackingCookie.Vegasred : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@server1.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ads.x10[1].txt -> TrackingCookie.X10 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@x10[1].txt -> TrackingCookie.X10 : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@c1.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Jane\Cookies\jane@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Matt\Cookies\matt@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-261903793-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8E13DDE1-E013-47EC-9C4C-27C2F78BDD26} -> Trojan.Conhook.c : Cleaned with backup (quarantined).
C:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\0R3V2W9X\srvlhj[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\8XY90DS7\srvbkv[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{B4B02FDF-095A-1033-0721-030718030001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\WINDOWS\__delete_on_reboot__S_Y_S_C_0_0_._e_x_e_ -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).

::Report end

**wisenheimer** · 2006-08-12, 19:22

Logfile of HijackThis v1.99.1
Scan saved at 1:14:37 PM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\bajpbj.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qjatb.exe
C:\WINDOWS\system32\qjatb.exe
C:\WINDOWS\system32\qjatb.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\AOL\1124339193\ee\AOLSoftware.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\kybrdff_9.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wshtcpip.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\clbcatq.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.238.43.125:8100
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjatb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cehwlom.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124339193\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_9.exe
O4 - HKLM\..\Run: [aqnhbh] C:\WINDOWS\system32\bajpbj.exe reg_run
O4 - HKLM\..\Run: [isvea6c6] RUNDLL32.EXE w005b7de.dll,n 002ea6c400000003005b7de
O4 - HKLM\..\Run: [w005ce15.dll] RUNDLL32.EXE w005ce15.dll,I2 002ea6c40005ce15
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wshtcpip] C:\WINDOWS\system32\wshtcpip.exe
O4 - HKCU\..\Run: [clbcatq] C:\WINDOWS\system32\clbcatq.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [wnuic] C:\WINDOWS\system32\bajpbj.exe reg_run
O4 - Global Startup: shuqh.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BA685A19-A28D-4241-B68A-FDE428C7B44E} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {C4AE95E6-4EE4-6B4F-A12B-EAAA3858187F} (MNPerformer Class) - http://art.towerrecords.com/performe...ormerSetup.cab
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\dx16gt.dLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: msrd2x32.exe - Unknown owner - C:\WINDOWS\system32\msrd2x32.exe (file missing)
O23 - Service: msvideo.exe - Unknown owner - C:\WINDOWS\system32\msvideo.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

**LonnyRJones** · 2006-08-13, 00:09

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Code:

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"=-

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Open a command prompt (start run type cmd press enter) type
sc delete "msvideo.exe"
press enter, type in
sc delete "msrd2x32.exe"
press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_9.exe
O4 - HKLM\..\Run: [aqnhbh] C:\WINDOWS\system32\bajpbj.exe reg_run
O4 - HKLM\..\Run: [isvea6c6] RUNDLL32.EXE w005b7de.dll,n 002ea6c400000003005b7de
O4 - HKLM\..\Run: [w005ce15.dll] RUNDLL32.EXE w005ce15.dll,I2 002ea6c40005ce15
O4 - HKCU\..\Run: [wshtcpip] C:\WINDOWS\system32\wshtcpip.exe
O4 - HKCU\..\Run: [clbcatq] C:\WINDOWS\system32\clbcatq.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [wnuic] C:\WINDOWS\system32\bajpbj.exe reg_run
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run combo fix again and post its log

Download and run stinger
http://vil.nai.com/vil/stinger/
1: Download v2.6.0 [1,144,839 bytes] (4/5/2006) ,
Post its log to.

**wisenheimer** · 2006-08-13, 15:59

Start Time= Sun 08/13/2006 7:36:36.06
Running from: C:\Documents and Settings\Matt\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{FAFFAC32-2B65-4F18-87A5-4237ACD3952F}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FAFFAC32-2B65-4F18-87A5-4237ACD3952F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FAFFAC32-2B65-4F18-87A5-4237ACD3952F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FAFFAC32-2B65-4F18-87A5-4237ACD3952F}\InprocServer32]
@="C:\\WINDOWS\\system32\\VLAR2232.DLL"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

**wisenheimer** · 2006-08-13, 16:00

FILES REMOVED:

C:\WINDOWS\SYSTEM32\dx16gt.dLL
C:\WINDOWS\SYSTEM32\h40qled51h0.dll
C:\WINDOWS\SYSTEM32\irp8l57u1.dll
C:\WINDOWS\SYSTEM32\jtl6073se.dll
C:\WINDOWS\SYSTEM32\mirecr40.dll
C:\WINDOWS\SYSTEM32\n06qlaj51do.dll
C:\WINDOWS\SYSTEM32\p84u0ih9e84.dll
C:\WINDOWS\SYSTEM32\VLAR2232.DLL
C:\WINDOWS\SYSTEM32\wzpsrcwp.dll

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

7:50:05.78

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst

* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\bajpbj.exe
C:\WINDOWS\system32\qjatb.exe
C:\WINDOWS\system32\cehwlom.exe

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

2006-08-12 12:49:26 127,488 "C:\WINDOWS\system32\bajpbj.exe"
2006-08-12 17:17:18 28,672 "C:\WINDOWS\system32\qjatb.exe"
2006-08-12 08:47:56 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-26 13:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-08-12 08:48:20 234,272 "C:\WINDOWS\system32\dx16gt.dLL"
2006-06-23 07:25:30 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-06-23 07:25:30 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-07-28 07:30:52 3,058,176 "C:\WINDOWS\system32\mshtml.dll"
2006-06-23 07:25:30 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-07-28 10:47:30 176,128 "C:\WINDOWS\system32\pgqbwa.dll"
2006-05-24 18:48:04 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-07-25 16:42:24 615,424 "C:\WINDOWS\system32\urlmon.dll"
2006-07-27 10:49:30 20,992 "C:\WINDOWS\system32\73305db.exe"
2006-08-12 08:47:50 23,552 "C:\WINDOWS\system32\cehwlom.exe"
2006-08-11 23:46:42 138,808 "C:\WINDOWS\system32\clbcatq.exe"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-06-23 07:25:30 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-06-23 07:25:30 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-06-23 07:25:30 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-08-12 17:17:18 51,712 "C:\WINDOWS\system32\hhjprrx.dll"
2006-06-23 07:25:30 251,904 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-06-23 07:25:30 15,872 "C:\WINDOWS\system32\jsproxy.dll"
2006-05-24 18:43:44 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-06-23 07:25:30 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 04:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-06-23 07:25:30 1,497,088 "C:\WINDOWS\system32\shdocvw.dll"
2006-07-13 09:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-06-23 07:25:30 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-24 18:43:44 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-06-23 07:25:32 664,576 "C:\WINDOWS\system32\wininet.dll"
2006-06-23 07:25:30 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-07-21 04:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"
2006-05-24 18:48:04 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-05-24 18:48:04 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-08-12 12:49:26 127,488 "C:\WINDOWS\system32\gwxsm.dat"
2006-08-12 18:16:10 433 "C:\WINDOWS\yupvr.dll"
2006-07-19 23:16:48 2,818 "C:\WINDOWS\mozver.dat"
2006-08-12 08:47:46 53 "C:\WINDOWS\ncnvpp.dat"
2006-08-12 08:47:50 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shuqh.exe"

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

08/12/2006 12:49 PM 127,488 gwxsm.dat.vir
08/12/2006 08:47 AM 127,488 shuqh.exe.vir
08/12/2006 12:49 PM 127,488 bajpbj.exe.vir
08/12/2006 05:17 PM 51,712 hhjprrx.dll.vir
08/12/2006 05:17 PM 28,672 qjatb.exe.vir
08/12/2006 08:47 AM 23,552 cehwlom.exe.vir
08/12/2006 08:47 AM 53 ncnvpp.dat.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

2006-07-27 10:49:30 20,992 "C:\WINDOWS\system32\73305db.exe"
2006-08-11 23:46:42 138,808 "C:\WINDOWS\system32\clbcatq.exe"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-08-12 08:47:56 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-23 07:25:30 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-06-23 07:25:30 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-06-23 07:25:30 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-06-23 07:25:30 251,904 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-06-23 07:25:30 15,872 "C:\WINDOWS\system32\jsproxy.dll"
2006-05-24 18:43:44 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-06-23 07:25:30 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 04:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-06-23 07:25:30 1,497,088 "C:\WINDOWS\system32\shdocvw.dll"
2006-07-13 09:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-06-23 07:25:30 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-24 18:43:44 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-06-23 07:25:32 664,576 "C:\WINDOWS\system32\wininet.dll"
2006-06-26 13:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-06-23 07:25:30 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-06-23 07:25:30 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-07-28 07:30:52 3,058,176 "C:\WINDOWS\system32\mshtml.dll"
2006-06-23 07:25:30 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-07-28 10:47:30 176,128 "C:\WINDOWS\system32\pgqbwa.dll"
2006-05-24 18:48:04 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-07-25 16:42:24 615,424 "C:\WINDOWS\system32\urlmon.dll"
2006-06-23 07:25:30 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-07-21 04:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"
2006-05-24 18:48:04 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-05-24 18:48:04 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-08-12 18:16:10 433 "C:\WINDOWS\yupvr.dll"
2006-07-19 23:16:48 2,818 "C:\WINDOWS\mozver.dat"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\drsmartload1.exe
C:\dfndrff_9.exe
C:\kybrdff_9.exe
C:\WINDOWS\system32\drsmartload815a.exe
C:\WINDOWS\keyboard1.dat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-13 07:31:58 1427955 ( A.... ) "C:\Documents and Settings\Matt\Application Data\Install.dat"
2006-08-13 07:31:58 ( .D... ) "C:\Program Files\SpySheriff"
2006-08-13 07:08:50 32768 ( A.... ) "C:\winstall.exe"
2006-08-13 07:08:50 32768 ( A.... ) "C:\abeb.exe"
2006-08-13 07:08:44 75776 ( A.... ) "C:\uoytnq.exe"
2006-08-13 07:08:18 16384 ( A.... ) "C:\WINDOWS\system32\loadadv559.exe"
2006-08-13 07:07:54 14336 ( A.... ) "C:\WINDOWS\system32\test.exe"
2006-08-12 18:16:10 433 ( A.... ) "C:\WINDOWS\yupvr.dll"
2006-08-12 08:54:54 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-12 08:48:18 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-08-12 08:47:56 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-08-12 08:47:54 61952 ( A.... ) "C:\WINDOWS\system32\isvea6c6.dll"
2006-08-12 08:47:54 1167 ( A.... ) "C:\WINDOWS\system32\isvea6c6.sys"
2006-08-12 08:47:54 1167 ( A.... ) "C:\WINDOWS\system32\isvea6c6.sys"
2006-08-12 08:47:54 1167 ( A.... ) "C:\WINDOWS\system32\isvea6c6.sys"
2006-08-12 08:46:54 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-08-12 08:46:32 48190 ( A.... ) "C:\RDFX4.exe"
2006-08-11 23:46:42 138808 ( A.... ) "C:\WINDOWS\system32\clbcatq.exe"
2006-08-11 23:46:40 160800 ( A.... ) "C:\WINDOWS\system32Fastmp3_Setup1.exe"
2006-08-11 11:57:20 ( .D... ) "C:\Program Files\Common Files\Java"
2006-08-09 14:24:28 ( .D... ) "C:\Program Files\RegScrubXP"
2006-08-09 13:24:24 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-08-09 09:30:16 ( .D... ) "C:\Program Files\Common Files\kqmw"
2006-08-08 18:10:20 0 ( A.... ) "C:\loaded.exe"
2006-08-04 15:01:44 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-29 15:37:54 70656 ( A.... ) "C:\WINDOWS\system32\btpanuib.dll"
2006-07-29 15:37:52 69632 ( A.... ) "C:\WINDOWS\system32\compstuid.dll"
2006-07-29 10:02:46 32208 ( ..SH. ) "C:\Program Files\Common Files\Y1304OU.exe"
2006-07-29 10:01:20 0 ( A.... ) "C:\WINDOWS\system32cymmh.exe"
2006-07-28 10:47:30 176128 ( A.... ) "C:\WINDOWS\system32\pgqbwa.dll"
2006-07-27 10:49:30 20992 ( A.... ) "C:\WINDOWS\system32\73305db.exe"
2006-07-27 10:46:26 ( .D... ) "C:\Documents and Settings\Matt\Application Data\S?mantec"
2006-07-27 10:45:56 ( .D... ) "C:\Program Files\Common Files\{B4B02FDF-095A-1033-0721-030718030001}"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-26 22:52:22 1024 ( A.... ) "C:\Documents and Settings\Matt\Application Data\WavCodec.wff"
2006-07-24 12:06:30 178 ( A.... ) "C:\WINDOWS\system32\del32.bat"
2006-07-24 08:58:08 ( .D... ) "C:\Program Files\Steinberg"
2006-07-24 08:57:16 ( .D... ) "C:\Program Files\FLStudio4"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-19 23:17:12 ( .D... ) "C:\Documents and Settings\Matt\Application Data\Talkback"
2006-07-19 23:15:52 ( .D... ) "C:\Documents and Settings\Matt\Application Data\Mozilla"
2006-07-16 11:53:04 ( .D... ) "C:\Program Files\D-Tools"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-12 10:19:30 ( .D... ) "C:\Documents and Settings\Matt\Application Data\Lavasoft"
2006-07-10 19:45:46 ( .D... ) "C:\Program Files\Common Files\NSIS"
2006-07-05 22:00:48 ( .D... ) "C:\Program Files\Arcade!"
2006-07-05 13:52:56 25 ( A.... ) "C:\WINDOWS\SW_Win2000X48.DLL"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-07-04 13:32:10 ( .D... ) "C:\Program Files\AOL Pictures"
2006-06-28 10:37:20 ( .D... ) "C:\Documents and Settings\Matt\Application Data\uTorrent"
2006-06-27 15:45:06 ( .D... ) "C:\Program Files\Kodak"
2006-06-27 09:17:04 ( .D... ) "C:\Documents and Settings\Matt\Application Data\InterVideo"
2006-06-27 09:11:42 ( .D... ) "C:\Program Files\InterVideo Information Service"
2006-06-27 09:08:00 ( .D... ) "C:\Program Files\Common Files\InterVideo"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-16 23:15:18 ( .D... ) "C:\Program Files\DivX"
2006-06-14 13:49:08 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-13 16:32:34 ( .D... ) "C:\Program Files\AviSynth 2.5"
2006-06-13 16:26:12 ( .D... ) "C:\Program Files\Pure Motion"
2006-06-13 16:26:04 ( .D... ) "C:\Program Files\Sonic Foundry"
2006-06-13 16:25:46 ( .D... ) "C:\Program Files\DebugMode"
2006-05-24 18:48:04 109568 ( A.... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-05-24 18:43:44 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-05-24 18:43:44 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2005-07-18 20:04:14 10822 ( A.... ) "C:\Program Files\Uninst.isu"
2005-07-18 20:03:44 1429 ( A.... ) "C:\Program Files\Uninstall the iDEN WebJAL.lnk"
2004-07-07 08:58:34 11108 ( A.... ) "C:\Program Files\GMV EULA Extended Speech_V1.txt"
2004-05-13 09:47:18 2992 ( A.... ) "C:\Program Files\Readme.txt"
2004-05-13 09:47:08 11 ( A.... ) "C:\Program Files\ver.ini"
2004-04-29 11:30:18 966656 ( A.... ) "C:\Program Files\WebJAL.exe"
2004-04-28 10:03:16 102400 ( A.... ) "C:\Program Files\IUSB.dll"
2004-03-19 15:43:30 1399891 ( A.... ) "C:\Program Files\SilentInstallUSBDrivers.exe"
2003-12-17 14:54:34 103015 ( A.... ) "C:\Program Files\GMV EULA Extended Speech_V1.pdf"
2003-09-11 14:48:40 77824 ( A.... ) "C:\Program Files\iplcomm.dll"
2003-02-19 18:01:26 195160 ( A.... ) "C:\Program Files\White Paper - What's A Personality Worth .pdf"
2003-02-19 18:01:06 93984 ( A.... ) "C:\Program Files\White Paper - Voice Branding for the Enterprise.pdf"
2003-02-12 15:53:58 28672 ( A.... ) "C:\Program Files\iulcomm.dll"
2003-01-29 11:05:18 32768 ( A.... ) "C:\Program Files\HUSBcomm.dll"
2003-01-22 10:12:18 73728 ( A.... ) "C:\Program Files\iDEN_PST.DLL"
2002-12-18 12:56:30 147456 ( A.... ) "C:\Program Files\JALCOMM.dll"
2002-12-09 10:58:22 49152 ( A.... ) "C:\Program Files\iUSBMon.dll"
2002-09-27 13:06:46 94208 ( A.... ) "C:\Program Files\ISL_IFL.dll"
2002-08-16 09:03:54 24576 ( A.... ) "C:\Program Files\USBCheck.dll"
2000-10-16 09:38:00 53248 ( A.... ) "C:\Program Files\mzip.dll"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-08-13 07:08 32,768 C:\winstall.exe
2006-08-13 07:08 32,768 C:\abeb.exe
2006-08-13 07:07 14,336 C:\WINDOWS\system32\test.exe
2006-08-12 21:15 20,992 C:\WINDOWS\system32\73305db.exe
2006-08-12 09:00 53,248 C:\WINDOWS\system32\Process.exe
2006-08-12 09:00 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-12 09:00 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-12 09:00 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-12 08:48 38,412 C:\WINDOWS\ssqbn.exe
2006-08-12 08:47 61,952 C:\WINDOWS\system32\isvea6c6.dll
2006-08-12 08:47 48,167 C:\WINDOWS\system32\VSL05.exe
2006-08-12 08:47 1,167 C:\WINDOWS\system32\isvea6c6.sys

Thread: No system restore.Antivirus pop ups & desktop tray pop ups

Thread Tools

Display

Posting Permissions