Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Tag A Saurus -Windows 98 se [RESOLVED]


  • This topic is locked This topic is locked

#1
edhall

edhall

    Member

  • Member
  • PipPip
  • 13 posts
My computer with windows 98se appears to have been infected with Tag a saurus. I have pasted the Logfile of Hijack This log below. ANY help at all is greatly appreciated. Thank you!

HijackThis v1.99.1
Scan saved at 1:29:22 PM, on 9/14/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\HGHKFC.EXE
C:\WINDOWS\SWRWUNWA.EXE
C:\WINDOWS\DUCE6.EXE
C:\WINDOWS\SYS02696984920.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\XPYOE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\XPYOE.EXE
C:\WINDOWS\XPYOE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYS02696984920.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DUCE6.EXE
C:\WINDOWS\SYS02696984920.EXE
C:\WINDOWS\DUCE6.EXE
C:\WINDOWS\SYS02696984920.EXE
C:\WINDOWS\SYS02696984920.EXE
C:\WINDOWS\DUCE6.EXE
E:\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [gxmcea] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKLM\..\Run: [SWRWUNWA] C:\WINDOWS\SWRWUNWA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKLM\..\Run: [sys02696984920] C:\WINDOWS\sys02696984920.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKCU\..\RunServices: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\RunServices: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\RunServices: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\RunServices: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Event Reminder.lnk = D:\PMG4\PMREMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: yntll.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnote...ad/npmusicn.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...138302D2D2D.exe
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,278 posts
Hi, edhall :whistling:

Welcome to Geeks to go.

Please read this post completely. It may make it easier for you if you print, or copy and paste this post to a new text document for reference later.

This will likely be a few steps process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing Webhancer.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Click Here to download the Webhancerfix. Once downloaded, double clickon the FixWebHancer.exe and follow the prompts.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [gxmcea] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKLM\..\Run: [SWRWUNWA] C:\WINDOWS\SWRWUNWA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKLM\..\Run: [sys02696984920] C:\WINDOWS\sys02696984920.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKCU\..\RunServices: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\RunServices: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...138302D2D2D.exe

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

SURFSIDEKICK 3
WebHancer


Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\SURFSIDEKICK 3
C:\PROGRAM FILES\WebHancer


Run Killbox.exe. Paste the following locations into Killbox one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click no...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\SYSTEM\wucrtupd.exe
C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
C:\WINDOWS\hghkfc.exe
C:\WINDOWS\SWRWUNWA.exe
C:\WINDOWS\DUCE6.exe
C:\WINDOWS\sys02696984920.exe


In the event that you lose Internet access after removing Webhancer, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Download and install CleanUp!

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:

Run the CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Close the Shredder.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click Yes.

Restart the computer in Normal Mode.

Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
Manually download Latest definition file: Here
  • Please Note Version SE Build 1.06 is now available! This download is for use with Ad-Aware SE versions only.
  • Manual Installation: Unzip the archive, replace the existing file and restart Ad-Aware\Ad-Watch.
  • You can also use the webupdate component implemented in Ad-Aware to install this update.
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report as well as a fresh Hijackthis log.

  • 0

#3
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
First of all, THANK YOU so much for the help.

I have gone through your list and ran the different programs and scans that you have listed. I was doing fine until the Panda Active Scan. After several tries I finally got the program to download, but now the computer will not let the program run the scan. I have pasted the most recent Hijack This log below, for what it is worth. Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 7:01:38 PM, on 9/15/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\HGHKFC.EXE
C:\WINDOWS\DUCE6.EXE
C:\WINDOWS\SYS02696984920.EXE
C:\WINDOWS\WIN3208920696984.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\XPYOE.EXE
C:\WINDOWS\XPYOE.EXE
C:\WINDOWS\XPYOE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gxmcea] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKLM\..\Run: [sys02696984920] C:\WINDOWS\sys02696984920.exe
O4 - HKLM\..\Run: [win3208920696984] C:\WINDOWS\win3208920696984.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Event Reminder.lnk = D:\PMG4\PMREMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: yntll.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnote...ad/npmusicn.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,278 posts
Hi, edhall :whistling:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gxmcea] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKLM\..\Run: [sys02696984920] C:\WINDOWS\sys02696984920.exe
O4 - HKLM\..\Run: [win3208920696984] C:\WINDOWS\win3208920696984.exe
O4 - HKCU\..\Run: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O4 - Startup: yntll.exe
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

The Search Accelerator
Viewpoint Manager
Viewpoint Media Player


Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\THESEARCHACCELERATOR
C:\Program Files\Viewpoint


Run Killbox.exe. Paste the following locations into Killbox one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click no...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\hghkfc.exe
C:\WINDOWS\DUCE6.exe
C:\WINDOWS\sys02696984920.exe
C:\WINDOWS\win3208920696984.exe
C:\WINDOWS\Start Menu\Programs\StartUp\yntll.exe


Post a fresh Hijackthis log and let me know how is the computer doing.
  • 0

#5
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I am currently running hijack this and checking the items you have listed. When I click on Fix checked, it starts to run then stops and says that I can not delete 04- Startup : yntll.exe The file may be in use. Ise a process killer like ProcView to shutdown the progran and run Hijack This again to delete the file.
  • 0

#6
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the latest Hijack This log. I was not able to get rid of the item listed in the above post. If I hit control, alt, delete I get the following programs multiple times: Gck25, Ms03969840206, and Duce6. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:00 PM, on 9/15/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MS03969849206.EXE
C:\WINDOWS\HGHKFC.EXE
C:\WINDOWS\DUCE6.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\XPYOE.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\XPYOE.EXE
C:\WINDOWS\XPYOE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MS03969849206.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ms03969849206] C:\WINDOWS\ms03969849206.exe
O4 - HKLM\..\Run: [gxmcea] C:\WINDOWS\hghkfc.exe reg_run
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [duseg] C:\WINDOWS\hghkfc.exe reg_run
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Event Reminder.lnk = D:\PMG4\PMREMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: yntll.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnote...ad/npmusicn.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
  • 0

#7
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,278 posts
Hi, edhall :whistling:

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
XPYOE.EXE

[Exclude]

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch on your next reply.
Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and also post a new HiJackThis log.
  • 0

#8
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
There are certainly some changes for the better on the computer, still popping up ads, just not as many.


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:53 PM, on 9/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\WIN3207492069698.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gltl3b71.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [win3207492069698] C:\WINDOWS\win3207492069698.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Event Reminder.lnk = D:\PMG4\PMREMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnote...ad/npmusicn.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

and the Reg. Search log:
REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 9/16/06 1:06:29 PM for strings:
; 'xpyoe.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
  • 0

#9
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I failed to mention that the Tag a saurus icon is still on my desktop. Is that something that I should expect to go away as files are deleted or is it something that I need to delete from the desk top?

Thank you so much. This service is more helpful than you could ever know.
  • 0

#10
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,278 posts
Hi, edhall :whistling:

I have research Tag A Saurus as a virus and find no information about it.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [win3207492069698] C:\WINDOWS\win3207492069698.exe

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file.

C:\WINDOWS\win3207492069698.exe

Restart the computer.

1. Run HijackThis and click Open the Misc Tools section. Click Open Uninstall Manager>>Save list and save the log to your Desktop. A list of programs will open in Notepad. Post the contents of the log here.

2. Please take a screenshot of the Tag A Saurus icon for me.
  • You can do this by pressing the PrintScreen key.
  • Then go to Start > All Programs > Accessories > Paint
  • In Paint, go up to Edit > Paste
  • Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name it what you want, and save it where you want.
  • Then click Add Reply in this topic.
  • Click the Browse button.
  • Locate the file you just saved, click on it, then click Open.
  • Click Add This Attachment.
3. Right click on the Tag A Saurus icon and select properties. Select the Shortcut tab. Copy and paste the target location on your next reply.

4. Let me see also a fresh Hijackthis log.
  • 0

Advertisements


#11
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I have gotten as far as running Hijack this and deleting the items that you listed. I have rebooted into safe mode and now the computer is reacted the same way it was prior to me contacting you. (In SAFEmode)

In safe mode, control, alt, delete shows that Win3207492069698 5 seperate lines. I am going to restart the computer and send you another hijack this log for what it is worth.
  • 0

#12
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I am having a heck of a time copying the log to dixk then transfering the info to the other computer. I will get the log to you shortly
  • 0

#13
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,278 posts
Hi, edhall :whistling:

Can't you logon to the internet with the computer we are working on?
  • 0

#14
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,278 posts
Hi, edhall :whistling:

Let me take a deeper look into your system:

Click here to download WinPFind .
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  • Double click WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete, restart the computer back in Normal Mode.
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next reply!

  • 0

#15
edhall

edhall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello,

I can get on the internet, but only for a few minutes before everything freezes up. and needs to be restarted to go anyware.I have pasted the WinPFind scan below.

Thanks!


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/16/06 7:46:46 PM
WinPFind v1.5.0 Folder = C:\WINDOWS\DESKTOP\WINPFIND\WINPFIND\
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 11/4/05 10:09:46 PM 66048 C:\BFU.exe (Soeperman Enterprises Ltd.)

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 8/25/04 10:48:08 PM 9624554 C:\WINDOWS\lpt$vpn.162 ()
UPX! 8/25/04 10:48:10 PM 1036800 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
aspack 8/25/04 10:48:10 PM 1036800 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
PECompact2 8/25/04 10:48:08 PM 9624554 C:\WINDOWS\VPTNFILE.162 ()
UPX! 9/13/06 12:31:36 PM 267228 C:\WINDOWS\popupwithcast.exe ()
UPX! 9/13/06 12:32:14 PM 100880 C:\WINDOWS\mtuninst.exe ()
69.59.186.63 9/13/06 12:32:12 PM 51712 C:\WINDOWS\nnhlvlt.dll ()
209.66.67.134 9/13/06 12:32:12 PM 51712 C:\WINDOWS\nnhlvlt.dll ()
web-nex 9/13/06 12:32:12 PM 51712 C:\WINDOWS\nnhlvlt.dll ()

Items found in C:\WINDOWS\hosts


Checking %System% folder...
PTech 8/22/98 12:24:08 AM 74460 C:\WINDOWS\SYSTEM\OLFAXDRV.DRV (Symantec Corp.)
ad-w-a-r-e.com 9/13/06 12:32:12 PM R S 226592 C:\WINDOWS\SYSTEM\DUVVOX.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MKVCRT40.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM 226592 C:\WINDOWS\SYSTEM\MVSHRUI.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\CQGWIZ.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MBTEXT40.DLL ()
UPX! 12/22/05 10:42:10 PM 4608 C:\WINDOWS\SYSTEM\sphlp32.exe ()
UPX! 12/22/05 10:42:10 PM 45568 C:\WINDOWS\SYSTEM\pppcgm.exe ()
UPX! 12/22/05 10:42:14 PM 109568 C:\WINDOWS\SYSTEM\idemlog.exe (,)
UPX! 9/13/06 12:31:46 PM 29696 C:\WINDOWS\SYSTEM\wf2f7ff9.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\NCTDI.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\OPE2CONV.DLL ()
PTech 11/9/99 10:55:54 PM 88571 C:\WINDOWS\SYSTEM\MDACRDME.HTM ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\NLNDS.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\PWWEROLD.DLL ()
UPX! 9/13/06 12:31:46 PM 155136 C:\WINDOWS\SYSTEM\oins.exe ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MJACM.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\egtier2.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MHAWT.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\VOEN2.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DGVOICE.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\CLRPOL.DLL ()
UPX! 9/13/06 12:31:58 PM 61952 C:\WINDOWS\SYSTEM\ceh5fdc8.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\TBD32.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DHTIME.DLL ()
69.59.186.63 9/13/06 12:32:10 PM 32256 C:\WINDOWS\SYSTEM\dmonwv.dll ()
209.66.67.134 9/13/06 12:32:10 PM 32256 C:\WINDOWS\SYSTEM\dmonwv.dll ()
66.63.167.97 9/13/06 12:32:10 PM 32256 C:\WINDOWS\SYSTEM\dmonwv.dll ()
66.63.167.77 9/13/06 12:32:10 PM 32256 C:\WINDOWS\SYSTEM\dmonwv.dll ()
web-nex 9/13/06 12:32:10 PM 32256 C:\WINDOWS\SYSTEM\dmonwv.dll ()
rec2_run 9/13/06 12:32:10 PM 32256 C:\WINDOWS\SYSTEM\dmonwv.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\LUDIS10N.dll ()
ad-w-a-r-e.com 9/13/06 12:32:12 PM 226592 C:\WINDOWS\SYSTEM\lwmpg12n.dll ()
UPX! 9/13/06 12:32:36 PM 29696 C:\WINDOWS\SYSTEM\wf3048de.dll ()
UPX! 9/13/06 12:32:36 PM 29696 C:\WINDOWS\SYSTEM\wf304948.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\atfsipc.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\lqkrn10N.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\ecshared.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\mascp.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\mj43dmod.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\wtspdmod.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\Mvvcrt10.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\IP32_32.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\HIFpcf13.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\morepl35.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DJVENUM.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\GQDEF.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\OYBCCR32.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\OGETHK32.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\lrpcx10N.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MFSHRUI.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\wwp.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MWRD3X40.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\IHMUI.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\SYRRUN.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\FJWPP.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\mdg4dmod.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\HYFmlc13.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\FD20ENU.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\SP1ui32.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DRUSIC16.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\ijctl.dll ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DHDIM.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MFOSS.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\HDINK.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\LWDIS12n.DLL ()
ad-w-a-r-e.com 9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DRCOBJ.DLL ()

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/16/06 7:46:40 PM RH 1200160 C:\WINDOWS\USER.DAT ()
9/16/06 7:46:10 PM RH 12595248 C:\WINDOWS\SYSTEM.DAT ()
9/16/06 7:44:44 PM H 1002826 C:\WINDOWS\ShellIconCache ()
9/16/06 6:10:26 PM H 10638 C:\WINDOWS\ttfCache ()
9/13/06 12:32:12 PM R S 226592 C:\WINDOWS\SYSTEM\DUVVOX.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MKVCRT40.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\LERTREND.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\CQGWIZ.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MBTEXT40.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\NCTDI.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\OPE2CONV.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\NLNDS.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\PWWEROLD.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MJACM.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\egtier2.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MHAWT.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\VOEN2.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DGVOICE.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\CLRPOL.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\TBD32.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DHTIME.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\LUDIS10N.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\atfsipc.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\lqkrn10N.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\ecshared.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\mascp.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\mj43dmod.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\wtspdmod.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\Mvvcrt10.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\IP32_32.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\HIFpcf13.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\morepl35.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DJVENUM.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\GQDEF.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\OYBCCR32.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\OGETHK32.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\lrpcx10N.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MFSHRUI.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\wwp.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MWRD3X40.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\IHMUI.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\SYRRUN.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\FJWPP.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\mdg4dmod.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\HYFmlc13.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\FD20ENU.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\SP1ui32.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DRUSIC16.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\ijctl.dll ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DHDIM.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\MFOSS.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\HDINK.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\LWDIS12n.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\DRCOBJ.DLL ()
9/13/06 12:33:06 PM R S 226592 C:\WINDOWS\SYSTEM\icengine.dll ()
8/31/06 7:43:16 AM RHS 409600 C:\WINDOWS\SYSTEM\Eswu\ovgan.exe ()
9/16/06 7:44:22 PM H 186 C:\WINDOWS\TEMP\ffastlog.txt ()
9/10/06 7:15:54 PM H 20480 C:\WINDOWS\Application Data\Microsoft\Word\~WRL0007.tmp ()
9/16/06 1:22:36 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WDUB41I3\desktop.ini ()
9/16/06 1:22:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\O9EZ4LQ3\desktop.ini ()
9/16/06 1:22:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8LO7SNKJ\desktop.ini ()
9/16/06 1:22:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\58SNLPOL\desktop.ini ()
9/16/06 1:22:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4RBVQOPX\desktop.ini ()
9/16/06 1:22:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8123CDE7\desktop.ini ()
9/16/06 1:22:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\5KWN5LS1\desktop.ini ()
9/16/06 1:22:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GD63WX6R\desktop.ini ()
9/16/06 1:22:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ANCDITQR\desktop.ini ()
9/16/06 1:22:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ZNHFJXOW\desktop.ini ()
9/16/06 1:22:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\E3YV6LIJ\desktop.ini ()
9/16/06 1:22:46 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\3J93FX0W\desktop.ini ()
9/16/06 1:22:46 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\RN5ZRPCW\desktop.ini ()
9/16/06 1:22:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\6HH6R69O\desktop.ini ()
9/16/06 1:22:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\G73B201H\desktop.ini ()
9/16/06 1:23:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\0TQVOPIJ\desktop.ini ()
9/16/06 1:23:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\85EVCX27\desktop.ini ()
9/16/06 1:23:02 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\320JFTGX\desktop.ini ()
9/16/06 1:23:02 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\Y152Z2PK\desktop.ini ()
9/16/06 1:23:02 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\LV7JHHCE\desktop.ini ()
9/16/06 1:23:02 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\SLCRW3SB\desktop.ini ()
9/16/06 1:23:04 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\5OBHMG68\desktop.ini ()
9/16/06 1:23:06 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\W5QVCPYN\desktop.ini ()
9/16/06 1:23:06 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\L4KVP5GH\desktop.ini ()
9/16/06 1:23:06 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\65FOTON6\desktop.ini ()
9/16/06 1:23:06 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\U9CFA9Q5\desktop.ini ()
9/16/06 1:23:20 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\MBXPH256\desktop.ini ()
9/16/06 1:23:28 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\54KF1D4D\desktop.ini ()
9/16/06 7:44:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
9/13/06 12:31:36 PM RHS 71680 C:\WINDOWS\resh\wowexec.exe ()

Checking for CPL files...
4/23/99 10:22:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 60928 C:\WINDOWS\SYSTEM\INTL.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 420864 C:\WINDOWS\SYSTEM\MMSYS.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 93248 C:\WINDOWS\SYSTEM\MODEM.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL (Microsoft Corporation)
8/8/99 10:17:12 AM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 51984 C:\WINDOWS\SYSTEM\POWERCFG.CPL (Microsoft Corporation)
5/1/02 6:51:36 PM 192512 C:\WINDOWS\SYSTEM\JOY.CPL (Microsoft Corporation)
6/26/00 10:01:42 AM 720896 C:\WINDOWS\SYSTEM\PROSETP.CPL (Intel Corporation)
4/23/99 10:22:00 PM 66048 C:\WINDOWS\SYSTEM\ACCESS.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 72192 C:\WINDOWS\SYSTEM\APPWIZ.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 103424 C:\WINDOWS\SYSTEM\MAIN.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 70656 C:\WINDOWS\SYSTEM\STICPL.CPL ()
4/23/99 10:22:00 PM 387072 C:\WINDOWS\SYSTEM\SYSDM.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 14848 C:\WINDOWS\SYSTEM\TELEPHON.CPL (Microsoft Corporation)
4/23/99 10:22:00 PM 37376 C:\WINDOWS\SYSTEM\TIMEDATE.CPL (Microsoft Corporation)
2/10/99 3:48:48 AM 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL (Microsoft Corporation)
8/29/02 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL (Microsoft Corporation)
2/20/03 4:42:34 PM 229487 C:\WINDOWS\SYSTEM\jpicpl32.cpl (Sun Microsystems)
12/14/03 9:20:50 AM 323072 C:\WINDOWS\SYSTEM\QuickTime.cpl (Apple Computer, Inc.)
7/11/97 53520 C:\WINDOWS\SYSTEM\MLCFG32.CPL (Microsoft Corporation)

Checking for Downloaded Program Files...
{00000161-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.micros.../i386/msaud.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com...ex/qtplugin.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll
{32564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://codecs.micros...i386/wmv8ax.cab
{33363249-0000-0010-8000-00AA00389B71} - - CodeBase = http://codecs.micros...386/i263_32.cab
{33564D57-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.micros...386/wmv9dmo.cab
{406B5949-7190-4245-91A9-30A17DE16AD0} - Snapfish Activia - CodeBase = http://www.snapfish....fishActivia.cab
{90051A81-3018-4826-8B38-DD60B6B53F9C} - Snapfish File Upload ActiveX Control - CodeBase = http://www.snapfish....pfishUpload.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - Update Class - CodeBase = http://v4.windowsupd...7971.8447800926
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ash/swflash.cab
{E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} - DetectMN - CodeBase = http://www.musicnote...ad/npmusicn.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\SYSTEM\dajava.cab
Internet Explorer Classes for Java - - CodeBase = file://C:\WINDOWS\SYSTEM\iejava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/2/06 8:20:22 AM 516 C:\WINDOWS\Start Menu\Programs\StartUp\Acrobat Assistant.lnk ()
4/2/06 8:20:22 AM 275 C:\WINDOWS\Start Menu\Programs\StartUp\Event Reminder.lnk ()
4/2/06 8:20:24 AM 478 C:\WINDOWS\Start Menu\Programs\StartUp\Image Transfer.lnk ()
4/2/06 8:20:22 AM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk ()
12/25/03 7:31:40 PM 225280 C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe (Leader Technologies)
2/24/02 11:30:12 PM 256000 C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe (4)

Checking files in %USERPROFILE%\Application Data folder...
9/16/06 2:34:22 PM 28716 C:\WINDOWS\Application Data\dw.log ()
5/27/05 11:09:10 PM 24448 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT ()
4/14/02 11:04:30 AM 784 C:\WINDOWS\Application Data\mpauth.dat ()
9/14/06 6:55:20 PM 63 C:\WINDOWS\Application Data\Sskdmns.dll ()
9/13/06 12:34:06 PM 553146 C:\WINDOWS\Application Data\Sskknwrd.dll ()
9/14/06 6:53:28 PM 55 C:\WINDOWS\Application Data\Sskuknwrd.dll ()
5/29/05 10:14:00 AM 12 C:\WINDOWS\Application Data\uns.tmp ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.msn.com/
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINDOWS\SYSTEM\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.com/news
\\Search Bar -
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINDOWS\SYSTEM\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\SYSTEM\SHDOCVW.DLL (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL (Microsoft Corporation)
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUS.DLL (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUS.DLL (Yahoo! Inc.)
\{C431BF1E-9E71-4BB6-9C4E-8496D158DB1F} - = ()
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINDOWS\SYSTEM\MSDXM.OCX (Microsoft Corporation)
\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\WebBrowser\\{4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - = ()
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll ()
\WebBrowser\\{46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - = ()
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL (Yahoo! Inc.)
\WebBrowser\\{44BE0690-5429-47F0-85BB-3FFD8020233E} - UCmore XP - The Search Accelerator = C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL ()
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{6224f700-cba3-4071-b251-47cb894244cd} - 8192 = ICQ
\\NEXTID - 8195
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8193 =
\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8194 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{6224f700-cba3-4071-b251-47cb894244cd} - ButtonText: ICQ Pro = C:\Program Files\ICQ\ICQ.exe (ICQ Inc.)
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\PROGRAM FILES\AIM95\AIM.EXE (America Online, Inc.)
\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - ButtonText: Yahoo! Services =

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()
\\{00BD7141-4A41-11d1-89EA-0020AFC43773} - 3dfx Voodoo2 Property Sheet = 3dfxV2ps.dll (3dfx Interactive, Inc.)
\\{5E44E225-A408-11CF-B581-008029601108} - Adaptec Directcd Shell Extension = C:\Program Files\Adaptec\DirectCD\shellex.dll (Adaptec)
\\{F802F260-519B-11D1-BB5D-0060974C6013} - ICQ Shell Extension = C:\PROGRAM FILES\ICQ\ICQSHEXT.DLL (ICQ)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\PROGRAM FILES\REAL\REALONE PLAYER\RPSHELL.DLL (RealNetworks, Inc.)
\\{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL (Yahoo! Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry - C:\WINDOWS\scanregw.exe (Microsoft Corporation)
SystemTray - C:\WINDOWS\SYSTEM\SysTray.Exe (Microsoft Corporation)
LoadPowerProfile - C:\WINDOWS\Rundll32.exe (Microsoft Corporation)
Voodoo2 - C:\WINDOWS\rundll32.exe (Microsoft Corporation)
EnsoniqMixer - C:\WINDOWS\starter.exe (Creative Technology, Ltd.)
RoxioEngineUtility - C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)
TheMonitor - C:\WINDOWS\DUCE6.exe ()
sys03969849206 - C:\WINDOWS\sys03969849206.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile - C:\WINDOWS\Rundll32.exe (Microsoft Corporation)
SchedulingAgent - C:\WINDOWS\SYSTEM\mstask.exe (Microsoft Corporation)
Machine Debug Manager - C:\WINDOWS\SYSTEM\MDM.EXE ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe ()
RealPlayer - C:\Program Files\Real\RealOne Player\realplay.exe (RealNetworks, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\WINDOWS\Start Menu\Programs\StartUp\Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
C:\WINDOWS\Start Menu\Programs\StartUp\Event Reminder.lnk - D:\PMG4\PMREMIND.EXE ()
C:\WINDOWS\Start Menu\Programs\StartUp\Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe ()
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe (Leader Technologies)
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe (4)

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
TaskMonitor C:\WINDOWS\taskmon.exe
Promon.exe Promon.exe
SMSERIAL sm56hlpr.exe
SaveNow C:\Program Files\SaveNow\SaveNow.exe
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Mirabilis ICQ C:\Program Files\ICQ\NDetect.exe
Adaptec DirectCD C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
WinampAgent "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
tgcmd "C:\Program Files\Support.com\bin\tgcmd.exe" /server
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
LoadQM loadqm.exe
SM1BG C:\WINDOWS\SM1BG.EXE
CreateCD C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
AEHKORUX C:\WINDOWS\AEHKORUX.exe
WildTangent CDA RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
cronos C:\WINDOWS\marco!.scr
xload "C:\WINDOWS\XLOAD.exe"
webHancer Agent "C:\Program Files\webHancer\Programs\whAgent.exe"
webHancer Survey Companion "C:\Program Files\webHancer\Programs\whSurvey.exe"
keyboard C:\\KYBRDFF_18.exe
septpop06apsept C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
Internet Optimizer "C:\Program Files\Internet Optimizer\optimize.exe"
pop06apelt C:\WINDOWS\THISELT.exe
defender C:\\DFNDRFF_E1.exe
ceh5fdc8 RUNDLL32.EXE wf2f7ff9.dll,n 0045fdc400000002f2f7ff9
win3208920696984 C:\WINDOWS\win3208920696984.exe
SurfSideKick 3 C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
sys02696984920 C:\WINDOWS\sys02696984920.exe
autoupdate rundll32 C:\WINDOWS\SYSTEM\DMONWV.DLL,SHStart
gxmcea C:\WINDOWS\hghkfc.exe reg_run
SWRWUNWA C:\WINDOWS\SWRWUNWA.exe
newname C:\\NWNMFF_18.exe
loaddr C:\TOPAFF.EXE
TheMonitor C:\WINDOWS\DUCE6.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
CVPND "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
AIM C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
Mozilla Quick Launch "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
Iprm "C:\WINDOWS\resh\wowexec.exe" -vt yazb
SurfSideKick 3 C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
Znrxhzr C:\WINDOWS\SYSTEM\Eswu\ovgan.exe
duseg C:\WINDOWS\hghkfc.exe reg_run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]
C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\eBay Toolbar.LNK - C:\Program Files\eBay\eBay Toolbar\4.3.0.8\ebaytbar.exe (eBay)
C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\{9A40F015-9D92-DC46-5633-AA25C272F4AA} - = ()

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

>>> DNS Name Servers <<<
Adapters:
Intel® PRO/100 VE Network Connection
Name Server:

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\mswsosp.dll ()
\000000000002\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\msafd.dll ()
\000000000003\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\msafd.dll ()
\000000000004\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\msafd.dll ()
\000000000005\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\rsvpsp.dll ()
\000000000006\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\rsvpsp.dll ()
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - C:\WINDOWS\SYSTEM\rnr20.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\msdaipp - ()
\ipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP