Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
 
 Closed TopicStart new topic
ad.yieldmanager problems... [CLOSED]
patrick44
post Jun 7 2007, 08:09 PM
Post #1


New Member
*
Posts: 5
OS: Windows XP Home Edition
Hello,

I know this has been discussed a lot, but I'm not sure if it's unique for everyone. I keep getting random pop-up adverts and it's getting very annoying. I think it's ad.yieldmanager or outerinfo or something like that. My process list shows a task called retadpu72.exe that seems like the culprit. Anyways, if you guys could help me fix my comp, that would be awesome.

Here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:08:01 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\UGF0cmljayBDYXJyb2xs\command.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\retadpu72.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Patrick Carroll\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mcmfactory.com/
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134523779\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA197C7734672DE3F546CAC59B6
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uikz] C:\PROGRA~1\COMMON~1\uikz\uikzm.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...amp;4&&
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF0cmljayBDYXJyb2xs\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Go to the top of the page
 
+Quote Post
Daemon
post Jun 8 2007, 12:15 AM
Post #2


Security Expert
Group Icon
Posts: 4,356
OS: XP
Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.
Go to the top of the page
 
+Quote Post
patrick44
post Jun 8 2007, 03:47 PM
Post #3


New Member
*
Posts: 5
OS: Windows XP Home Edition
I really don't know why there's porn in there... this is an office computer. Is that something that typically happens with issues like this? I did notice a thing on the computer a few days ago called IPWins that was causing problems - it's on the list.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2007 at 04:38 AM

Application Version : 3.8.1002

Core Rules Database Version : 3250
Trace Rules Database Version: 1261

Scan type : Complete Scan
Total Scan Time : 02:35:47

Memory items scanned : 410
Memory threats detected : 4
Registry items scanned : 6445
Registry threats detected : 129
File items scanned : 136428
File threats detected : 286

Unclassified.Unknown Origin
C:\WINDOWS\UGF0CMLJAYBDYXJYB2XS\COMMAND.EXE
C:\WINDOWS\UGF0CMLJAYBDYXJYB2XS\COMMAND.EXE
HKLM\Software\Classes\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\Implemented Categories
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\InprocServer32
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\InprocServer32#ThreadingModel
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\ProgID
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\Programmable
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\TypeLib
HKCR\CLSID\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\VersionIndependentProgID
HKU\S-1-5-21-1123561945-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}
HKLM\System\ControlSet001\Services\cmdService
HKLM\System\ControlSet002\Services\cmdService
HKLM\System\CurrentControlSet\Services\cmdService

Trojan.NetMon/DNSChange
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#ActiveService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Program Files\Network Monitor

Adware.Adservs
C:\WINDOWS\UGF0CMLJAYBDYXJYB2XS\ASAPPSRV.DLL
C:\WINDOWS\UGF0CMLJAYBDYXJYB2XS\ASAPPSRV.DLL
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._

Trojan.Downloader-Gen/RetAd
C:\WINDOWS\RETADPU72.EXE
C:\WINDOWS\RETADPU72.EXE
[runner1] C:\WINDOWS\RETADPU72.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA197C7734672DE3F546CAC59B6 ]

Adware.MyWay
HKLM\Software\Classes\CLSID\{04079851-5845-4dea-848C-3ECD647AA554}
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}\InprocServer32
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}\InprocServer32#ThreadingModel
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}\Programmable
C:\PROGRAM FILES\MYSEARCH\SRCHASTT\1.BIN\MYSRCHAS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554}#NoExplorer

Adware.TopText
HKLM\Software\Classes\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\Implemented Categories
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\InprocServer32
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\InprocServer32#ThreadingModel
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\ProgID
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\Programmable
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\TypeLib
HKCR\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\VersionIndependentProgID
C:\PROGRA~1\TOPTEXT\EAPBH.DLL
HKU\S-1-5-21-1123561945-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}

Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-1123561945-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{5F1ABCDB-A875-46C1-8345-B72A4567E486}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll [  ]
HKU\S-1-5-21-1123561945-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\POWERSCAN.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adinterax[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tradedoubler[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adopt.euroclick[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@perf.overture[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@revsci[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@88287119[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@nielsen.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@doubleclick[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cgi-bin[3].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adultswim[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@brightcove.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-providianbankcorpservices.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@image.masterstats[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1072697670[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cnn.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@counter.hitslink[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@data2.perf.overture[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@msnportal.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@targetnet[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@livenation.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.burstbeacon[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@2o7[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1071734846[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tacoda[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.adultswim[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adrevolver[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@try.starware[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@fortunecity[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@trafficmp[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@sec1.liveperson[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@forums.sexyandfunny[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@pro-market[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.traderonline[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@ads.pointroll[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@specificclick[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@bluestreak[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@dist.belnk[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@mediaplex[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@realmedia[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.claxonmedia[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@247realmedia[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@keywordmax[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@adbrite[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-ctv.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adrevolver[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@atdmt[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@recipe[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cgi-bin[6].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@fastclick[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.realtechnetwork[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@atwola[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adserver.adreactor[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@casalemedia[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@rotator.adjuggler[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tribalfusion[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.mininova[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@serving-sys[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1069016414[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@indexstats[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@e-2dj6wjmiqmdpmcq.stats.esomniture[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@e-2dj6wglysnajaep.stats.esomniture[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@bs.serving-sys[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@e-2dj6wjkowjazgeq.stats.esomniture[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.imedialearn[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@track.bestbuy[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adserver.easyad[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-bestbuy.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1065038399[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tremor.adbureau[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@nasdaq.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@campaign.indieclick[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.addynamix[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@heavycom.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ad[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@artehouse.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1071823976[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@31178013[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@anat.tacoda[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@cpvfeed[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.ytmnd[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.infinite-ads[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@h.starware[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adopt.specificclick[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@advertising[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@dcsi583rp10000oevcqz9y4us_6l6d[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tracking.foxnews[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@anad.tacoda[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@advertstream[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@azjmp[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@edge.ru4[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@mb[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ad1.clickhype[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adcache.cycletrader[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@zedo[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@reduxads.valuead[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cartoonnetwork.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@server.iad.liveperson[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cgi-bin[4].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@S005-01-7-10-235562-88186[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@belnk[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adv.medscape[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@clickability[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@kidsource.advertserve[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.adsag[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@hotlog[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tribalddb.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ctvtsgtv.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@valueclick[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@xiti[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@clickbank[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@marketlive.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@statse.webtrendslive[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@e-2dj6wfk4skazgap.stats.esomniture[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-yamahamotors.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adv.webmd[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@e-2dj6wjkycncjgfo.stats.esomniture[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@vhost.oddcast[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@fhm.valueclick[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-youtube.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@tripod[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@e-2dj6wjkyunajmko.stats.esomniture[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1071055295[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@media.www.diamondbackonline[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@4.adbrite[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-pcsecurityshield.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.goyk[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1071607107[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@26606202[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@counter1.fc2[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.adbrite[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@86034343[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@count1.exitexchange[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cgi-bin[5].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@beerdotcomtrack.beer[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cracked[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adlegend[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@42100874[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@mcclatchy.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@mediaservers.vtc[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@chicagosuntimes.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-groupernetworks.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cs.sexcounter[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.cnn[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adtech[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-ati.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@maxim.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@sexcriminals[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@revenue[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@105-bmp.googleadservices[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1bclicks[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.svengalimedia[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@adserver[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.fatpenguinmedia[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@partner2profit[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@findwhat[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@buycom.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1072669009[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-lifetimeentertainment.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@webstat[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@count2.exitexchange[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@3.adbrite[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@spylog[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-onestopinternet.hitbox[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@homestore.122.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-aaa.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@s.clickability[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@wassermanmedia.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ads.expedia[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@1072696149[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@eyeblast.adbureau[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ad.outerinfo[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.ppctracking[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@indextools[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@www.xctrk[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@cbs.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@2.marketbanker[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@2.adbrite[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@exitexchange[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@optimize.indieclick[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@media.xbox360.ign[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@a.websponsors[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@motorcycle.advertserve[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@directtrack[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@roiservice[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@41397737[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@atlas.fixionmedia[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@stattrack.0catch[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@media.sponsorhouse[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@maxis.112.2o7[1].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick carroll@ehg-newscientist.hitbox[2].txt
C:\Documents and Settings\Patrick Carroll\Cookies\patrick_carroll@indiads[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@2o7[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@ad.yieldmanager[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@adknowledge[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@adopt.euroclick[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@adopt.specificclick[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@adrevolver[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@adrevolver[3].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@ads.pointroll[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@adultadworld[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@anad.tacoda[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@atwola[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@belnk[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@casalemedia[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@dist.belnk[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@edge.ru4[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@maxserving[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@questionmarket[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@realmedia[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@stat.www[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@statcounter[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@tacoda[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@www.burstbeacon[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@www.dirtxxx[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@www.fatpenguinmedia[2].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@xiti[1].txt
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Cookies\patrick carroll@yieldmanager[2].txt

Adware.WebHancer
HKLM\Software\WebHancer
HKLM\Software\WebHancer#BaseDir
HKLM\Software\WebHancer\CC
HKLM\Software\WebHancer\CC#DistTag
HKLM\Software\WebHancer\CC#id
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335353.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335354.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335355.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1373\A0336353.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1373\A0336354.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1373\A0336355.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1373\A0336356.EXE

Adware.Ezula
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}\InprocServer32
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}\InprocServer32#ThreadingModel
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}\ProgID
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}\Programmable
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}\TypeLib
HKCR\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}\VersionIndependentProgID
HKCR\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}
HKCR\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}\1.0
HKCR\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}\1.0\0
HKCR\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}\1.0\0\win32
HKCR\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}\1.0\FLAGS
HKCR\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}\1.0\HELPDIR
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\ADVTG.EXE

Adware.Apropos Media
C:\WINDOWS\system32\auto_update_uninstall.log

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\SDEXE.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335343.EXE

Adware.Avenue Media/Internet Optimizer
HKU\S-1-5-21-1123561945-573735546-839522115-1004\Software\Avenue Media
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\OPTIMIZE.EXE

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control#ActiveService

Adware.IPWins
HKU\S-1-5-21-1123561945-573735546-839522115-1004\Software\IpWins
C:\Program Files\ipwindows
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335338.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335369.EXE

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\DESKTOP\OIUNINSTALLER.EXE

Adware.180solutions/ZangoSearch
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\180SAINSTALLERNUSAC.EXE

Trojan.Downloader-CommandDesktop
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\CMDINST.EXE

Adware.180solutions/Search Assistant
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\DEL31.TMP
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\DELB4.TMP
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\RES32.TMP

TargetSaver, Inc. Process
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\GLF4ACGLF4AC.EXE
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\TSINSTALL_4_0_4_0_B4.EXE
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\TSUPDATE_4_0_4_1_B3.EXE
C:\WINDOWS\SYSTEM32\TSUNINST.EXE

Trojan.NewDotNet-Installer
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMP\NNCLXA638.EXE

Trojan.Downloader-Gen/Inst2
C:\DOCUMENTS AND SETTINGS\PATRICK CARROLL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XWCV9LWD\VV[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1370\A0335218.EXE

Adware.WhenU
C:\PROGRAM FILES\DAEMON TOOLS\SETUPDTSB.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335344.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335349.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335357.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335358.EXE
C:\WINDOWS\B129.EXE
C:\WINDOWS\UGF0CMLJAYBDYXJYB2XS\O3IXWA53UV1GSRLVVZUP.VBS
C:\WINDOWS\UNINSTALL_NMON.VBS

Trojan.Downloader-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335350.EXE

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335356.DLL

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64CD4851-2DB3-4609-8C51-DE4FED4A8A0D}\RP1372\A0335359.DLL

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B103.EXE
C:\WINDOWS\B104.EXE
C:\WINDOWS\B122.EXE

Trojan.NewDotNet
C:\WINDOWS\NDNUNINSTALL6_38.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Temporary Internet Files\Content.IE5\MQA5LPGA\Jamie_Lynn_DiScala_Dancing_In_Her_Undies_medium[1].jpg
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Temporary Internet Files\Content.IE5\FNXDH9XQ\red_btn[1].gif
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Temporary Internet Files\Content.IE5\YN8V1MNU\lc[1].js
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Temporary Internet Files\Content.IE5\MQA5LPGA\Britney_Spears_Almost_Drops_Baby_medium[1].jpg
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Temporary Internet Files\Content.IE5\FNXDH9XQ\Jenna_Jameson_On_Sex_Machine_medium[1].jpg
C:\Documents and Settings\Patrick Carroll\Local Settings\Temp\Temporary Internet Files\Content.IE5\YN8V1MNU\2_Sexy_Chicks_Dancing.wmv_medium[1].jpg

Logfile of HijackThis v1.99.1
Scan saved at 3:00:09 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134523779\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\9129837.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Patrick Carroll\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mcmfactory.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134523779\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uikz] C:\PROGRA~1\COMMON~1\uikz\uikzm.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...amp;4&&
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

This post has been edited by patrick44: Jun 8 2007, 04:03 PM
Go to the top of the page
 
+Quote Post
patrick44
post Jun 10 2007, 01:39 AM
Post #4


New Member
*
Posts: 5
OS: Windows XP Home Edition
bump
Go to the top of the page
 
+Quote Post
Daemon
post Jun 10 2007, 07:08 AM
Post #5


Security Expert
Group Icon
Posts: 4,356
OS: XP
You don't need to bump the topic - I get an email notifying me of your response and will get back to you when I get chance.

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKCU\..\Run: [uikz] C:\PROGRA~1\COMMON~1\uikz\uikzm.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...amp;4&&

Exit HijackThis when done. Reboot, using Windows Explorer, find and delete the following:

C:\Program Files\Common Files\uikz <-- folder
C:\WINDOWS\9129837.exe

Exit Explorer and reboot again. Rescan with HijackThis and post a new log here.
Go to the top of the page
 
+Quote Post