Coolwwwsearch.searchklick and Windows security center

**willbill48** · 2006-06-08, 20:17

Spybot S&D consistently picks up coolwwwsearch.searchklick and cannot remove it. i have run it in safe mode and it still comes up.

in addition, my computer clock has changed (it now says 14:15 pm), there is a program called Weather which i did not install, a program called Windows Security Center which constantly says i am infected which i think is a virus itself.

here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:38 PM, on 6/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sys02542496502-1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\defender19a.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\sys11-1542496502.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\win32102-154249650.exe
C:\WINDOWS\ms0696502-15424.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\System32\043fa694.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\dxvwewfi.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\services.exe
C:\Program Files\Weather\Weather.exe
C:\WINDOWS\system32\swinsqag.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Finale 2005\AIOLib.exe
C:\WINDOWS\System32\dxvwybft.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\dxvwvldf.exe
C:\WINDOWS\System32\dxvwzsym.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rover-host.com/infected.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ftmgchr.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [sys02542496502-1] C:\WINDOWS\sys02542496502-1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [sys11-1542496502] C:\WINDOWS\sys11-1542496502.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [win32102-154249650] C:\WINDOWS\win32102-154249650.exe
O4 - HKLM\..\Run: [ms0696502-15424] C:\WINDOWS\ms0696502-15424.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwzsym.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000118.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\dsysiz.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe9...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\ksdusl.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dxvwewfi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

**Rawe** · 2006-06-10, 10:56

Holy cow what an collection

We'll need to do this step by step.

1) Please download win32delfkil.exe by Marckie:

Save it on your desktop.
Double-click on win32delfkil.exe and install it.
A new folder should be created to your desktop named win32delfkil.
Close ALL open windows, open the win32delfkil folder and double-click on fix.bat.
The computer will reboot automatically.
Post the contents of the c:\windelf.txt log in your next reply.

==

2) Please download Look2Me-Destroyer to your desktop.

Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log aswell as the contents of c:\windelf.txt log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

**willbill48** · 2006-06-12, 16:51

heres the windelf:

************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie

BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
g219545.dll

File(s) found in system32 folder
--------------------------------
cfgmngr32.dll

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{B29BE267-3A64-4F7E-8A57-75FB5E900503}"="Windows Updater"

sharedtaskkey: B29BE267-3A64-4F7E-8A57-75FB5E900503
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}\InprocServer32]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"

Notify key
----------
subkey cfgmngr32 is present!

AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------
g219545.dll

File(s) found in system32 folder
--------------------------------
cfgmngr32.dll
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{B29BE267-3A64-4F7E-8A57-75FB5E900503}"="Windows Updater"

sharedtaskkey: B29BE267-3A64-4F7E-8A57-75FB5E900503
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B29BE267-3A64-4F7E-8A57-75FB5E900503}\InprocServer32]
@="C:\\WINDOWS\\system32\\cfgmngr32.dll"
"ThreadingModel"="Apartment"

Notify key
----------
subkey cfgmngr32 is present!

and the look2me:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/12/2006 10:32:02 AM

Infected! C:\WINDOWS\system32\ksdusl.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C6E702DC-75DC-4371-801F-4CC7D4D49759}"
HKCR\Clsid\{C6E702DC-75DC-4371-801F-4CC7D4D49759}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1321F937-F548-456C-84FF-9590C406C9CC}"
HKCR\Clsid\{1321F937-F548-456C-84FF-9590C406C9CC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{78821E96-D2EF-4F44-A431-A4A17582B704}"
HKCR\Clsid\{78821E96-D2EF-4F44-A431-A4A17582B704}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

finally here's the newest hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:54 AM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\043fa694.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ftmgchr.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000118.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinsqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dsysiz.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe9...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

before doing all of this read through the smithfraud fix sticky you guys have up on here and did that, and that also seemed to help out my computer a bit.

anyway thank you

**Rawe** · 2006-06-12, 16:57

Looks like windelfkil didn't do the job.

Lets run it again after cleaning everything else up.

Go ahead and delete Look2Me-Destroyer

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

2. Please download Brute Force Uninstaller to your desktop.

Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

4. RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

5. Once in Safe Mode, Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido anti-malware.

==

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by double-clicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.

Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log.

**willbill48** · 2006-06-12, 19:13

heres the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:08:30 PM, 6/12/2006
+ Report-Checksum: FF2DA0D5

+ Scan result:

HKU\S-1-5-21-2052111302-813497703-1060284298-1003\Software\DNS -> Adware.Shorty : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\jswiyb3m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Willie\Cookies\willie@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\svchostsys\svchostrun.exe -> Downloader.Agent.a : Cleaned with backup
C:\Program Files\DNS\Catcher.dll -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\Catcher.tmp -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\cwebpage.dll -> Adware.Maxifiles : Cleaned with backup

::Report End

And here is the newest hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:15:02 PM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\043fa694.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ftmgchr.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe9...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

**Rawe** · 2006-06-12, 19:53

Looking better..

Go ahead and remove Ewido for now.

You do need an Anti-virus software.

==

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

==

Next:

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
Then please post back with a fresh HijackThis log and we'll clear the rest.

**willbill48** · 2006-06-12, 21:01

alright here's my newest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:24 PM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\043fa694.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
C:\Program Files\Weather\Weather.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmeuex.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win320902-15424965] C:\WINDOWS\win320902-15424965.exe
O4 - HKLM\..\Run: [043fa694.exe] C:\WINDOWS\System32\043fa694.exe
O4 - HKLM\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Willie\My Documents\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [043fa694.exe] C:\Documents and Settings\Willie\Local Settings\Application Data\043fa694.exe
O4 - HKCU\..\Run: [Windows hSox Server] C:\WINDOWS\System32\hSox.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Willie\My Documents\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\panda software\panda titanium antivirus 2005\pavlsp.dll' missing
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10157fe9...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

**Rawe** · 2006-06-12, 21:08

That looks better all the time..

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Download WinPFind:

Right-click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet.

==

Please download MWav:

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.

Don't do anything else with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Run MWav again:

Locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.

Now lets do the settings:

Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).

Close MWav.

==

Double-click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete:

Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post.

==

Reboot into normal Windows and post the MWav results here along with a fresh HijackThis log aswell as the WinPFind.txt log.

**willbill48** · 2006-06-12, 23:31

ok here are the mwav results:

File C:\WINDOWS\chadch.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\DHU.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\WINDOWS\justin2a.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\pf78.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sys011542496502-2006.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\WINDOWS\Taga96.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\WINDOWS\YOINSI.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\install_id6.exe tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\WINDOWS\System32\nskC4.dll tagged as not-a-virus:AdWare.Win32.HotSearchBar.i. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP0\A0000002.exe infected by "Trojan-Spy.Win32.Delf.ig" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP0\A0000003.exe infected by "Email-Worm.Win32.Delf.i" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP0\A0000005.exe infected by "Trojan-Proxy.Win32.Agent.jw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000008.exe tagged as not-a-virus:RiskTool.Win32.PsKill.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000009.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000010.dll infected by "Trojan-Proxy.Win32.Agent.ji" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000011.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000014.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000017.exe infected by "Trojan-Proxy.Win32.Small.bt" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000018.exe infected by "Trojan-Downloader.Win32.Agent.hy" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000020.exe infected by "Trojan-Downloader.Win32.Small.ciw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000022.exe infected by "Trojan.Win32.Spabot.x" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000027.exe infected by "Trojan-Downloader.Win32.CWS.s" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000028.exe infected by "Trojan-Downloader.Win32.Small.ctk" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000030.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000036.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000057.dll tagged as not-a-virus:AdWare.Win32.EZula.bn. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000058.exe infected by "Email-Worm.Win32.Delf.i" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000060.exe infected by "Trojan-Spy.Win32.Delf.ig" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000062.exe infected by "Trojan-Downloader.Win32.CWS.s" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000063.exe infected by "Trojan-Downloader.Win32.CWS.s" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0000064.exe infected by "Trojan.Win32.Spabot.x" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001242.dll tagged as not-a-virus:AdWare.Win32.Ihbo.e. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001243.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001246.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001247.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001249.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001257.dll tagged as not-a-virus:AdWare.Win32.EZula.bn. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001258.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001267.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001268.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001270.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001283.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001286.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001287.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001289.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001296.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001299.dll tagged as not-a-virus:AdWare.Win32.EZula.bn. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001304.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001311.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001313.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0001314.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002308.exe tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002313.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002314.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0002316.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003312.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003315.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003316.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003332.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.o. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003334.DLL tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003347.dll infected by "Trojan-Proxy.Win32.Lager.aq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003350.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003355.exe infected by "Trojan-Clicker.Win32.VB.nh" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003358.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003359.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003362.exe tagged as not-a-virus:AdWare.Win32.Agent.y. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003363.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003365.exe tagged as not-a-virus:AdWare.Win32.Agent.z. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003366.exe tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003367.exe tagged as not-a-virus:AdWare.Win32.Mirar.d. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003368.ocx tagged as not-a-virus:AdWare.Win32.MediaMotor.m. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003369.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003370.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003374.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003376.exe tagged as not-a-virus:AdWare.Win32.NewDotNet. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003377.exe infected by "Trojan-Proxy.Win32.Agent.jw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003378.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003382.dll tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003383.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.d. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003384.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.d. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003415.dll tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003417.dll tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003419.exe infected by "Trojan-Dropper.Win32.Agent.hl" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003420.dll infected by "Trojan-Downloader.Win32.Agent.afl" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003421.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003423.exe infected by "Trojan-Downloader.Win32.Small.aav" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003424.dll tagged as not-a-virus:AdWare.Win32.Mirar.b. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003426.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP1\A0003429.exe tagged as not-a-virus:AdWare.Win32.ZenoSearch.o. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003466.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003467.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003478.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003479.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP2\A0003484.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003499.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003500.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003507.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003519.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP3\A0003520.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003527.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003552.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003553.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003565.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003566.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003570.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003590.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003592.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003624.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003626.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003644.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.j. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003646.dll tagged as not-a-virus:AdWare.Win32.Maxifiles.a. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP4\A0003650.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003697.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003698.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003699.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{62FBF9A9-FB46-4C50-8BE1-DFAC8F313D83}\RP5\A0003700.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\WINDOWS\chadch.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\justin2a.exe tagged as not-a-virus:AdWare.Win32.SideFind.a. No Action Taken.
File C:\WINDOWS\sys011542496502-2006.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\WINDOWS\system32\install_id6.exe tagged as not-a-virus:AdWare.Win32.Adstart.i. No Action Taken.
File C:\WINDOWS\system32\nskC4.dll tagged as not-a-virus:AdWare.Win32.HotSearchBar.i. No Action Taken.

**willbill48** · 2006-06-12, 23:33

and here's the winPFind.txt:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 5/8/2006 7:27:30 PM H 2595209 C:\PANDA.RPT
PEC2 3/2/2006 1:36:00 PM 107000114 C:\republic6.wav

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/6/2006 11:17:00 PM 53280 C:\WINDOWS\g219545.dll

Checking %System% folder...
UPX! 6/6/2006 8:03:38 AM 60416 C:\WINDOWS\SYSTEM32\adrotate.dll
PEC2 9/3/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/9/2005 1:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 6/9/2005 1:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 6/4/2006 1:48:06 AM 11264 C:\WINDOWS\SYSTEM32\hSox.exe
PECompact2 10/2/2005 8:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 8:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 9/3/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 9/3/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/12/2006 2:17:22 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/12/2006 3:44:48 PM S 2048 C:\WINDOWS\bootstat.dat
6/8/2006 3:45:38 PM H 54156 C:\WINDOWS\QTFont.qfn
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
6/6/2006 10:59:36 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
6/6/2006 11:00:22 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
6/6/2006 10:59:36 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
6/6/2006 11:07:46 PM H 319488 C:\WINDOWS\repair\ntuser.dat
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
6/6/2006 10:59:36 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
6/6/2006 10:59:36 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
6/6/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
6/12/2006 10:35:04 AM S 451856 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\NT5INF.CAT
5/3/2006 8:11:26 PM S 7738 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem10.CAT
5/3/2006 8:11:26 PM S 7738 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\oem10.CAT
6/12/2006 3:44:40 PM H 8192 C:\WINDOWS\system32\config\default.LOG
6/12/2006 3:44:58 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/12/2006 3:44:50 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
6/12/2006 3:47:58 PM H 196608 C:\WINDOWS\system32\config\software.LOG
6/12/2006 3:44:50 PM H 782336 C:\WINDOWS\system32\config\system.LOG
6/6/2006 3:35:20 PM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
6/6/2006 3:35:24 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
6/6/2006 11:07:48 PM H 1024 C:\WINDOWS\system32\config\userdifr.LOG
6/6/2006 11:20:26 PM RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
6/12/2006 3:44:06 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 9/3/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/6/2006 11:01:16 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/6/2006 10:42:04 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
5/18/2006 10:15:04 PM 1382 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
6/20/2004 11:45:54 PM HS 84 C:\Documents and Settings\Willie\Start Menu\Programs\Startup\desktop.ini
5/18/2006 9:03:52 AM 729 C:\Documents and Settings\Willie\Start Menu\Programs\Startup\Weather.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/20/2004 4:24:34 PM HS 62 C:\Documents and Settings\Willie\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70F6A776-579A-4C95-BA88-134253907752}
RieMon Class = C:\WINDOWS\System32\irsmeuex.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D117A61F-92C3-4450-A0C8-F425B14D4127}
Banner Rotator = C:\WINDOWS\System32\adrotate.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

Thread: Coolwwwsearch.searchklick and Windows security center

Thread Tools

Display

Coolwwwsearch.searchklick and Windows security center

Posting Permissions