"You have spyware/virus" popups

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

"You have spyware/virus" popups

Options

Teri76 View Member Profile	Oct 28 2006, 12:41 AM Post #1
New Member Posts: 4 OS: XP SP2 Media Edition	I'm always so careful. In two years, never had an issue. I got a bad torrent....now I'm loaded. I run my AVG spyware, it removes a ton of stuff. I go to bed, wake up with popups and run it again to find more...so help me fix it before I go insane!!! I've tried myself and it fixes it for about an hour...had tagasaurus show up on my desktop last night too... Logfile of HijackThis v1.99.1 Scan saved at 10:32:24 AM, on 10/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Common Files\AOL\1156291395\ee\aolsoftware.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Owner.Tink\Desktop\mayer[bleep].exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6445 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6445 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6445 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv575.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: BattyRun2.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: Brotaaud - {92BC032C-A567-4ACC-B3CE-BF3413541FDC} - C:\WINDOWS\system32\logonkey.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe µTorrent 2Wire Wireless Client Abexo Free Registry Cleaner Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Reader 7.0 Adobe Shockwave Player AOL Uninstaller (Choose which Products to Remove) ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver Audacity 1.2.4 AVG Anti-Spyware 7.5 AVG Free Edition BigFix Broadcom 802.11 Network Adapter CleanUp! Comcast High-Speed Internet Install Wizard Conexant AC-Link Audio DivX Codec DivX Content Uploader DivX Converter DivX Player DivX Web Player DVD Solution FLAC Installer 1.1.2a (remove only) HijackThis 1.99.1 Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 10 (KB910393) Hotfix for Windows XP (KB888795) Hotfix for Windows XP (KB891593) Hotfix for Windows XP (KB895961) Hotfix for Windows XP (KB896256) Hotfix for Windows XP (KB899337) Hotfix for Windows XP (KB899510) Hotfix for Windows XP (KB902841) Hotfix for Windows XP (KB910728) Hotfix for Windows XP (KB912024) Hotfix for Windows XP (KB914906) iTunes J2SE Runtime Environment 5.0 Update 2 LimeWire 4.12.6 Messenger Plus! Live Microsoft .NET Framework 1.0 Hotfix (KB887998) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft .NET Framework 2.0 Microsoft Digital Image Starter Edition 2006 Microsoft Money 2006 Microsoft Office Standard Edition 2003 Microsoft Works Mozilla Firefox (2.0) MSN On2 VP7 Personal Edition Power2Go 4.0 PowerDVD QuickTime RealPlayer Riva FLV Encoder 2.0 SBC Yahoo! DSL Home Networking Installer Security Update for Microsoft .NET Framework 2.0 (KB917283) Security Update for Microsoft .NET Framework 2.0 (KB922770) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB925486) Soft Data Fax Modem with SmartCP Sonic Encoders Spybot - Search & Destroy 1.4 Synaptics Pointing Device Driver Texas Instruments PCIxx21/x515/xx12 drivers. Update for Windows Media Player 10 (KB913800) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB912945) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update Rollup 2 for Windows XP Media Center Edition 2005 Windows Installer 3.1 (KB893803) Windows Live Messenger Windows Media Format Runtime Windows XP Hotfix - KB886185 Windows XP Media Center Edition 2005 KB912067 Windows XP Media Center Edition 2005 KB915381 WinRAR archiver XviD 1.1 final uninstall Yahoo! Messenger ZoneAlarm This post has been edited by Teri76: Oct 28 2006, 08:37 AM

rambro View Member Profile	Oct 28 2006, 09:30 AM Post #2
Trusted Helper Posts: 1,101 From: Long Island, New York OS: Windows XP Professional	Dear Teri76, Welcome to the Geeks to Go forums. We are currently studying your log. *********************************** You are currently running HijackThis from your desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Go to "My Computer", click on c:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or "HijackThis" and then please move the "HijackThis.exe" executable there. In fact, I cannot find the HijackThis.exe file in your HijackThis log. Can you tell me in detail if you renamed the "HijackThis.exe" file? ************************* Dear Teri76, can you tell me in detail (if you know) what this line is: QUOTE C:\Documents and Settings\Owner.Tink\Desktop\mayer[bleep].exe rambro

rambro View Member Profile	Oct 28 2006, 01:29 PM Post #3
Trusted Helper Posts: 1,101 From: Long Island, New York OS: Windows XP Professional	Dear Teri76, (Note: Please read through these instructions a couple of times before executing the steps in this post.) You may want to print out these instructions or save them as a text file with "Notepad" to your desktop. ****************************** Make sure your PC is configured to show hidden files. Here is how to do this: Windows XP * Click "Start". * Open "My Computer". * Select the "Tools" menu and click "Folder Options". * Select the "View" Tab. * Under the "Hidden files and folders" heading select "Show hidden files and folders". * Make sure "Hide extensions for known file types" is unchecked * Uncheck the "Hide protected operating system files (recommended)" option. * Click "Yes" to confirm. * Click "OK". Here is a link for further explanation: http://www.xtra.co.nz/help/0,,4155-1916458,00.html ************************************** Submit the file "C:\WINDOWS\System32\logonkey.dll" for an online scan at: http://virusscan.jotti.org/. Post the results of the scan in a reply to this post. Double-click on My Computer and locate the file "logonkey.dll" (this should be located in the C:\WINDOWS\System32 directory). Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Company", "File Version", "Internal Name", "Language", "Original File name", "Product Name", and "Product Version", and please post whatever the text in the box immediately to the right says for each, in a reply to this post. Also on the "Version" tab, post back to me, what it says for "File Version", "Description" and "Copyright". Please post the jotti online scan for the "logonkey.dll" file, along with the "properties" of the "logonkey.dll" file. ****************************** Can you tell me in detail who is your Internet Service Provider? Can you tell me how you are connecting through the Internet (e.g. dialup, dsl or cable)? Can you tell me in detail if you are you still using the following application: QUOTE Comcast High-Speed Internet Install Wizard

Teri76 View Member Profile	Oct 28 2006, 08:22 PM Post #4
New Member Posts: 4 OS: XP SP2 Media Edition	Thanks for getting back to me! Yes I renamed it...I am aware some things hide fro HJT so I renamed it. I have but it in its onw folder as you asked. I use two providers. Sometimes I use SBC Wireless...Currently using Comcast highspeed Cable Connected through an eternet cable (not-wireless). So the answer is yes, I suppose that I am using the wizard thing. The "Properties" for that program: It has no version tab. Under the Summary tab, there is nothing next to any of those lines. It was created November 2005, I've only had the laptop Since the end of august. so I am assuming it is a file that came with the laptop. The Jotti scan told me that the file I uploaded: The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file I turned the firewall off, tried again The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

rambro View Member Profile	Oct 28 2006, 11:12 PM Post #5
Trusted Helper Posts: 1,101 From: Long Island, New York OS: Windows XP Professional	Dear Teri76, I was looking at your "Add/Remove Software list" log from your previous post. The following are optional uninstalls Note - as with all P2P sharing programs they are susceptible to various forms of malware". That is, a Peer to Peer (P2P) file-sharing client program can be used as a vehicle for downloading spyware on to your computer system. Uninstall the following program/programs through Add/Remove programs (if they exist): µTorrent LimeWire 4.12.6 See the following link as a reference: http://p2p.malwareremoval.com/index.html - You decide. If you uninstalled LimeWire you need to remove the next folder also (marked in blue): C:\Program Files\LimeWire **************************** This what I found from google: Messenger Plus includes with it a particularly insidious form of adware called "Lop." Lop falls under the category of PC "hijacker" and makes changes to a user's Web browser in addition to popping up advertisements. The adware additionally places icons on the desktop and attempts to trick users into running a fake virus scan that installs even more malware. Uninstall the following program/programs through Add/Remove programs: Messenger Plus! Live See the following links as a reference: http://fileforum.betanews.com/detail/Messe...ve/1151240522/1 http://www.msgweb.nl/en/MSN_Articles/Messe...ithout_sponsor/ ************************************* The QuickTime Player is a legitimate program, but may interfere with your Real time player, WinAmp player and Windows media player. I suggest you uninstall the following program: QuickTime** rambro

rambro View Member Profile	Oct 28 2006, 11:14 PM Post #6
Trusted Helper Posts: 1,101 From: Long Island, New York OS: Windows XP Professional	Dear Teri76, (Note: Please read through these instructions a couple of times before executing the steps in this post.) You may want to print out these instructions or save them as a text file with "Notepad" to your desktop. ****************************** Run HijackThis and click "Scan." Place checks next to the following entry/entries (if they exist): R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv575.dll O20 - AppInit_DLLs: BattyRun2.dll O21 - SSODL: Brotaaud - {92BC032C-A567-4ACC-B3CE-BF3413541FDC} - C:\WINDOWS\system32\logonkey.dll Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application. Next, make sure your PC is configured to show hidden files. Here is how to do this: Windows XP * Click "Start". * Open "My Computer". * Select the "Tools" menu and click "Folder Options". * Select the "View" Tab. * Under the "Hidden files and folders" heading select "Show hidden files and folders". * Make sure "Hide extensions for known file types" is unchecked * Uncheck the "Hide protected operating system files (recommended)" option. * Click "Yes" to confirm. * Click "OK". Here is a link for further explanation: http://www.xtra.co.nz/help/0,,4155-1916458,00.html Delete the following file/files marked in blue (if they exist): C:\WINDOWS\system32\nsv575.dll BattyRun2.dll <-- (Do a search for this file and then delete it) C:\WINDOWS\system32\logonkey.dll Delete the following folder/folders marked in blue (if they exist): Finally, clean out temporary and Temporary Internet files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press ok to remove: Temporary Files Temporary Internet Files Recycle Bin Restart your computer. ************************************************** Please download and run a Free Trial of Trojan Hunter at http://www.misec.net/products/TrojanHunter.exe. Please restart your computer. ******************************* TrendMicro™ HouseCall ActiveX Scan Please go HERE to run the Trend Micro™ HouseCall Scan. Click Scan now. It's free! Read and put a Check next to Yes I accept the terms of use. Click the Launching HouseCall>> button. Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button. You may receive a prompt to install the ActiveX, click install. If you are taken back to the main page, click Launching HouseCall>> button again. Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button. Please be patient while it installs, updates, and scans your system. Once the scan is complete, it will take you to the summary page. Under Cleanup options, choose clean all detected infections automatically. Click the Clean now>> button. If anything was found you may be prompted to run the scan again, you can just close the browser window. When the scan is finished, please restart your computer. *************************** Download, install, update, configure and run a scan with Ad-Aware SE at the following link: http://rstones12.geekstogo.com/adawareSE_setup.htm Restart your computer. ********************************** Restart your computer and then please post a new HijackThis log. In addition, let me know in detail how your computer system is running after performing the above steps.

Teri76 View Member Profile	Oct 28 2006, 11:36 PM Post #7
New Member Posts: 4 OS: XP SP2 Media Edition	Hey Rambro I unistalled Limewire and Plus...but I left UTorrent for now. Also reluctantly dicthed Plus after reading the documentation...heck I loved that plugin. I have a quick question about something. you said WinAmp....does it show that I still have that on here? I thought I ditched that eons ago. This post has been edited by Teri76: Oct 29 2006, 12:46 AM

Teri76

Oct 29 2006, 12:23 AM

Post #8

New Member

Posts: 4
OS: XP SP2 Media Edition

The following problems occured so far

Upon trying to delete from HJT the battyrun2.dll

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: BattyRun2.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

System32 wouldnt allow me to delete logonkey.dll

Battyrun2.dll was not found on my computer

Trojan Hunter log:
Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\CFG32S.Search.1 (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7564B020-44E8-4C9B-A887-C6EC41AC67DA} (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\Scaggy.Insert (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898} (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scaggy.Insert (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\CFG32S.Search (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search.1 (matches Adware.BookedSpace.106) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\WINDOWS\srvoueuxxh.exe (VB.429)
1 files identified

Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search\CLSID
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search\CurVer
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search

Removed registry key HKEY_CLASSES_ROOT\CFG32S.Search.1\CLSID
Removed registry key HKEY_CLASSES_ROOT\CFG32S.Search.1

Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7564B020-44E8-4C9B-A887-C6EC41AC67DA}\iexplore
Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7564B020-44E8-4C9B-A887-C6EC41AC67DA}

Removed registry key HKEY_CLASSES_ROOT\Scaggy.Insert\CLSID
Removed registry key HKEY_CLASSES_ROOT\Scaggy.Insert\CurVer
Removed registry key HKEY_CLASSES_ROOT\Scaggy.Insert

Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\iexplore
Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}

Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scaggy.Insert

Unable to open key HKEY_CLASSES_ROOT\CFG32S.Search

Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search.1

Quarantined file C:\WINDOWS\srvoueuxxh.exe
Trojan cleaning finished.

Ad-Aware scan log

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, October 29, 2006 1:50:14 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R129 26.10.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.MyToolbar(TAC index:3):1 total references
MRU List(TAC index:0):17 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

10-29-2006 1:50:14 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 752
ThreadCreationTime : 10-28-2006 3:46:58 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 828
ThreadCreationTime : 10-28-2006 3:47:00 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 10-28-2006 3:47:03 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 896
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1064
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 6.14.10.4115
ProductVersion : 6.14.10.4115.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1076
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1160
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1300
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1344
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1416
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1784
ThreadCreationTime : 10-28-2006 3:47:06 PM
BasePriority : Normal
FileVersion : 6.14.10.4115
ProductVersion : 6.14.10.4115.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1880
ThreadCreationTime : 10-28-2006 3:47:06 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:14 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 532
ThreadCreationTime : 10-28-2006 3:47:14 PM
BasePriority : Normal

#:15 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 544
ThreadCreationTime : 10-28-2006 3:47:14 PM
BasePriority : Normal
FileVersion : 3.100.64.1
ProductVersion : 3.100.64.1
ProductName : Broadcom 802.11 Network Adapter Wireless Network Controller
CompanyName : Broadcom Corporation
FileDescription : Broadcom 802.11 Network Adapter Wireless Network Controller
InternalName : bcmwltry.exe
LegalCopyright : 1998-2005, Broadcom Corporation All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:16 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 10-28-2006 3:47:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:17 [guard.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 1100
ThreadCreationTime : 10-28-2006 3:47:20 PM
BasePriority : Normal
FileVersion : 7, 5, 0, 47
ProductVersion : 7, 5, 0, 47
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : guard.exe

#:18 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1088
ThreadCreationTime : 10-28-2006 3:47:20 PM
BasePriority : Normal
FileVersion : 7,1,0,365
ProductVersion : 7.1.0.365
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:19 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1240
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Normal
FileVersion : 7,1,0,349
ProductVersion : 7.1.0.349
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:20 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1276
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Normal
FileVersion : 7,1,0,400
ProductVersion : 7.1.0.400
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:21 [ehrecvr.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 1336
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Above Normal
FileVersion : 5.1.2715.2812 (xpsp(wmbla).051215-1116)
ProductVersion : 5.1.2715.2812
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Receiver Service
InternalName : ehRecvr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehRecvr.exe

#:22 [ehsched.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 1352
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Scheduler Service
InternalName : ehSched
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehSched.exe

#:23 [prismxl.sys]
FilePath : C:\Program Files\Common Files\New Boundary\PrismXL\
ProcessID : 1548
ThreadCreationTime : 10-28-2006 3:47:22 PM
BasePriority : Normal
FileVersion : 6.0.1.22
ProductVersion : 6.0.1.22
ProductName : PrismXL Software Family
CompanyName : New Boundary Technologies, Inc.
FileDescription : PrismXL Service
InternalName : PrismXL Service
LegalCopyright : © 1997-2004 New Boundary Technologies
OriginalFilename : PrismXL.sys

#:24 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 388
ThreadCreationTime : 10-28-2006 3:47:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [mcrdsvc.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 704
ThreadCreationTime : 10-28-2006 3:47:25 PM
BasePriority : Normal
FileVersion : 4.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 4.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : MCRD Device Service
InternalName : McrdSvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : McrdSvc.exe

#:26 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3212
ThreadCreationTime : 10-28-2006 3:47:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:27 [dllhost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3292
ThreadCreationTime : 10-28-2006 3:47:44 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : COM Surrogate
InternalName : dllhost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dllhost.exe

#:28 [ehtray.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 3456
ThreadCreationTime : 10-28-2006 3:47:47 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe

#:29 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 3532
ThreadCreationTime : 10-28-2006 3:47:48 PM
BasePriority : Normal
FileVersion : 8.3.4 19May06
ProductVersion : 8.3.4 19May06
ProductName : Synaptics Pointing Device Driver
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Synaptics Enhancements Application
LegalCopyright : Copyright © Synaptics, Inc. 1996-2006
OriginalFilename : SynTPEnh.exe

#:30 [ehmsas.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 3576
ThreadCreationTime : 10-28-2006 3:47:49 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe

#:31 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 3616
ThreadCreationTime : 10-28-2006 3:47:49 PM
BasePriority : Normal
FileVersion : 7,1,0,406
ProductVersion : 7.1.0.406
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:32 [avgas.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 1396
ThreadCreationTime : 10-28-2006 3:47:59 PM
BasePriority : Normal
FileVersion : 7, 5, 0, 50
ProductVersion : 7, 5, 0, 50
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware
InternalName : AVG Anti-Spyware
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : avgas.exe

#:33 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3108
ThreadCreationTime : 10-28-2006 3:48:56 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:34 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3776
ThreadCreationTime : 10-28-2006 3:49:28 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:35 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 132
ThreadCreationTime : 10-29-2006 3:19:42 AM
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:36 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1652
ThreadCreationTime : 10-29-2006 3:19:43 AM
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:37 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 3648
ThreadCreationTime : 10-29-2006 6:31:30 AM
BasePriority : Normal
FileVersion : 8.0.0812.00
ProductVersion : 8.0.0812
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:38 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 3128
ThreadCreationTime : 10-29-2006 6:38:22 AM
BasePriority : Normal

#:39 [ymsgr_tray.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ProcessID : 3176
ThreadCreationTime : 10-29-2006 6:42:33 AM
BasePriority : Normal

#:40 [ose.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Source Engine\
ProcessID : 1056
ThreadCreationTime : 10-29-2006 6:44:33 AM
BasePriority : Normal

#:41 [trojanhunter.exe]
FilePath : C:\Program Files\TrojanHunter 4.6\
ProcessID : 1952
ThreadCreationTime : 10-29-2006 6:46:14 AM
BasePriority : Normal
FileVersion : 4.6.0.930
ProductVersion : 4.1.0.0
ProductName : TrojanHunter
CompanyName : Mischel Internet Security
FileDescription : TrojanHunter Scanner
InternalName : TrojanHunter Scanner
LegalCopyright : Mischel Internet Security
LegalTrademarks : TrojanHunter is a trademark of Mischel Internet Security
OriginalFilename : TrojanHunter.exe

#:42 [thguard.exe]
FilePath : C:\Program Files\TrojanHunter 4.6\
ProcessID : 2036
ThreadCreationTime : 10-29-2006 6:46:14 AM
BasePriority : Normal
FileVersion : 4.5.0.277
ProductVersion : 1.0.0.0
ProductName : TrojanHunter Guard
CompanyName : Mischel Internet Security
FileDescription : TrojanHunter Guard
LegalCopyright : Mischel Internet Security
LegalTrademarks : TrojanHunter is a trademark of Mischel Internet Security.
OriginalFilename : THGuard.exe

#:43 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3524
ThreadCreationTime : 10-29-2006 6:49:44 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\ext\stats\{c004dec2-2623-438e-9ca2-c9043ab28508}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 18

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:owner@questionmarket.com/
Expires : 12-9-2006 2:20:18 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 19

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 19

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

2:06:51 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:36.344
Objects scanned:140841
Objects identified:2
Objects ignored:0
New critical objects:2

Trend micro found 5 things...including a trojan and shut down before it could finish twice.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 2:19:38 AM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\mayerrename.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6445
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6445
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6445
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Research - {92