Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

braviax; winivster.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
melint

melint

    Member

  • Member
  • PipPipPip
  • 166 posts
my pc is infected with these trojans, i have downloaded the silent runner and enclosed the report as i have noticed that you made others do this. i have tried with mcafee and adware to delete these and it quarantines them, but the keep coming back. please help, thanks

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IncrediMail" = "C:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]
"braviax" = "C:\WINDOWS\system32\braviax.exe" [null data]
"AdobeUpdater" = "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" ["Adobe Systems Incorporated"]
"AdwareAlert" = "C:\Program Files\AdwareAlert\AdwareAlert.exe -boot" ["C-NetMedia"]
"PC Suite Tray" = ""C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"braviax" = "C:\WINDOWS\system32\braviax.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll" ["Yahoo! Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DBFB267C-334F-4F19-A304-63B7130C20C7}" = "MediaCenter Property Page"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "arpower.dll" ["Microsoft"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{329E4C0E-9B95-4EA9-83AF-5B6FBD190477}" = "*"
-> {HKLM...CLSID} = "Burn My Files ( New ) "
\InProcServer32\(Default) = "C:\PROGRA~1\GetData\BURNMY~1\BURNMY~1.DLL" ["GetData Pty Ltd"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\phonebrowser.dll" ["Nokia"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> application/x-vcm8\CLSID = "{560A62D2-E52E-4BC6-A88C-5E4651A2C1D1}"
-> {HKLM...CLSID} = "VersaCheck Messenger MIME Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX" ["G7 Productivity Systems, Inc."]
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {HKLM...CLSID} = "IMMenuShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll" ["IncrediMail, Ltd."]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\mcctxmnu.dll" ["McAfee, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\mcctxmnu.dll" ["McAfee, Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
*\(Default) = "{329E4C0E-9B95-4EA9-83AF-5B6FBD190477}"
-> {HKLM...CLSID} = "Burn My Files ( New ) "
\InProcServer32\(Default) = "C:\PROGRA~1\GetData\BURNMY~1\BURNMY~1.DLL" ["GetData Pty Ltd"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove links and access to Windows Update}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\I386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\HP\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\TOOLS\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Enabled Scheduled Tasks:
------------------------

"AdwareAlert Scheduled Scan" -> launches: "C:\Program Files\AdwareAlert\AdwareAlert.exe scheduled" ["C-NetMedia"]
"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"McDefragTask" -> launches: "C:\WINDOWS\system32\defrag.exe C: -f" ["Microsoft Corp. and Executive Software International, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll" ["Yahoo! Inc."]
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\4144\SiteAdv.dll" [file not found]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = "&Yahoo! Messenger"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D9288080-1BAA-4BC4-9CF8-A92D743DB949}\
"ButtonText" = "Run IMVU"
"Exec" = "C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk" [null data]

{E2D4D26B-0180-43A4-B05F-462D6D54C789}\
"ButtonText" = "Internet Connection Help"
"MenuText" = "Internet Connection Help"
"Script" = "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ARSVC, ARSVC, "C:\WINDOWS\arservice.exe" ["Microsoft"]
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe" ["McAfee, Inc."]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
ptssvc, ptssvc, "C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe" ["KODAK"]
ServiceLayer, ServiceLayer, ""C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"" ["Nokia."]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "arkbcfltr" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDI Port\Driver = "PDIPortNT.dll" ["Neovi Data Corporation"]


---------- (launch time: 2008-04-03 13:08:42)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 60 seconds.
---------- (total run time: 105 seconds)
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nice report but alas I usually ask for that if needed much later on - Still lets get to work shall we

First off I will kill the file and see what else you have

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#3
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
i did as you said and all went well. here is the report you requested

Attached Files


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That took some out - now for stage 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
ComboFix 08-04-03.5 - HP_Administrator 2008-04-04 10:44:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.402 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pack.epk
C:\WINDOWS\system32\bcqxuet.dat
C:\WINDOWS\system32\bcqxuet.exe
C:\WINDOWS\system32\bcqxuet_nav.dat
C:\WINDOWS\system32\bcqxuet_navps.dat
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\nvs2.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-03 17:15 . 2008-04-03 17:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-03 15:58 . 2008-04-03 18:39 <DIR> d-------- C:\SDFix
2008-04-03 09:41 . 2008-03-31 14:42 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-04-03 09:33 . 2008-04-03 09:33 <DIR> d-------- C:\Program Files\AdwareAlert
2008-04-03 09:33 . 2008-04-03 09:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert
2008-04-02 12:27 . 2008-04-02 16:21 <DIR> d-------- C:\SDAT
2008-04-02 12:07 . 2008-04-02 16:12 42,825,158 --a------ C:\sdat5265.exe
2008-04-02 10:47 . 2008-04-02 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-02 10:36 . 2008-04-02 10:36 61,224 --a------ C:\Documents and Settings\HP_Administrator\GoToAssistDownloadHelper.exe
2008-04-02 10:21 . 2008-04-02 10:21 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee
2008-04-01 17:56 . 2008-04-01 17:56 <DIR> d-------- C:\Documents and Settings\HP_Administrator\DoctorWeb
2008-03-30 21:32 . 2008-03-31 15:46 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia Multimedia Player
2008-03-30 21:16 . 2008-03-30 21:16 <DIR> d-------- C:\Program Files\DIFX
2008-03-30 21:16 . 2008-03-30 21:30 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia
2008-03-30 21:16 . 2008-03-30 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-30 21:15 . 2008-03-30 22:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Suite
2008-03-30 21:15 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-30 21:15 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-30 21:15 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-30 21:15 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-30 21:15 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-30 21:14 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\Nokia
2008-03-30 21:12 . 2008-03-30 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-27 12:03 . 2008-03-27 12:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVS4YOU
2008-03-27 12:03 . 2008-03-27 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-27 12:02 . 2008-03-27 12:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-03-27 12:02 . 2008-03-27 12:03 <DIR> d-------- C:\Program Files\AVS4YOU
2008-03-26 21:45 . 2008-03-29 08:49 <DIR> d-------- C:\Program Files\iTunes
2008-03-25 16:11 . 2008-03-25 16:12 <DIR> d-------- C:\NEO_DVD
2008-03-08 17:31 . 2008-03-08 17:31 <DIR> d-------- C:\Program Files\GetData
2008-03-08 17:31 . 2008-03-25 16:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-07 16:47 . 2008-03-07 16:53 <DIR> d-------- C:\WALKOFF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 14:15 6,500 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-04-02 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-01 11:25 --------- d-----w C:\Program Files\Check Printing Software 2000 V2.0
2008-03-31 20:57 --------- d-----w C:\Program Files\QuickTime
2008-03-29 13:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-29 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-27 02:45 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-03-27 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-25 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-12 08:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-19 02:05 --------- d-----w C:\Program Files\McAfee
2006-05-22 23:30 591 ----a-w C:\Documents and Settings\HP_Administrator\DMOrganizer.dat
2005-11-06 18:28 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-03-30 09:25 204843]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2008-03-30 09:25 4662776]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-04-02 14:25 7173360]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-31 16:37 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-03-30 09:25 582992]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-30 09:25 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2008-03-30 09:25 4662776]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"msacm.ac3acm"= AC3ACM.acm
"vidc.dvsd"= mcdvd_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
backup=C:\WINDOWS\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 08:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 19:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcqxuet]
c:\windows\system32\bcqxuet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-09 16:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 05:01 90112 c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 16:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 02:12 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-11-09 12:29 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 18:35 49152 c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 19:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 16:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 20:34 5354792 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 15:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~2\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-30 09:25 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 18:14 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2004-12-13 22:23 663552 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
--a------ 2004-09-17 03:45 118784 C:\Program Files\MySoftware\MyInvoices\tracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-03-30 09:25 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]
C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-03-31 14:42]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 11:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 13:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 14:26]
R2 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [2001-08-15 06:43]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2005-12-28 12:46]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2005-12-28 12:47]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2005-12-28 12:47]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2005-12-28 12:48]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2005-12-28 12:49]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys []
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S4 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b042c90c-1cf8-11dc-aac7-0016172e4c35}]
\Shell\AutoRun\command - L:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-04-04 15:45:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-15 06:26:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 07:00:13 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 10:48:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-04 10:50:09
ComboFix-quarantined-files.txt 2008-04-04 15:50:06
Pre-Run: 113,216,487,424 bytes free
Post-Run: 113,189,208,064 bytes free
.
2008-03-12 08:03:15 --- E O F ---
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK getting there :)

Some more to do

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\bcqxuet.exe

Folder::
C:\PROGRAM FILES\MYWEBSEARCH
C:\Program Files\Zango

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcqxuet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


NOTE WELL

The following files are infected and I would recommend uninstalling the programmes, then re-install a fresh copy

C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe


Logs required : Combofix and a new Hijackthis - plus how is your computer now ?
  • 0

#7
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
here is the combofix log, my pc doesn't have the infected message it used to, that 's a good sign


ComboFix 08-04-03.5 - HP_Administrator 2008-04-04 17:04:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.392 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-03 17:15 . 2008-04-03 17:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-03 15:58 . 2008-04-03 18:39 <DIR> d-------- C:\SDFix
2008-04-03 09:41 . 2008-03-31 14:42 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-04-03 09:33 . 2008-04-03 09:33 <DIR> d-------- C:\Program Files\AdwareAlert
2008-04-03 09:33 . 2008-04-03 09:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert
2008-04-02 12:27 . 2008-04-02 16:21 <DIR> d-------- C:\SDAT
2008-04-02 12:07 . 2008-04-02 16:12 42,825,158 --a------ C:\sdat5265.exe
2008-04-02 10:47 . 2008-04-02 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-02 10:36 . 2008-04-02 10:36 61,224 --a------ C:\Documents and Settings\HP_Administrator\GoToAssistDownloadHelper.exe
2008-04-02 10:21 . 2008-04-02 10:21 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee
2008-04-01 17:56 . 2008-04-01 17:56 <DIR> d-------- C:\Documents and Settings\HP_Administrator\DoctorWeb
2008-03-30 21:32 . 2008-03-31 15:46 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia Multimedia Player
2008-03-30 21:16 . 2008-03-30 21:16 <DIR> d-------- C:\Program Files\DIFX
2008-03-30 21:16 . 2008-03-30 21:30 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia
2008-03-30 21:16 . 2008-03-30 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-30 21:15 . 2008-03-30 22:43 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Suite
2008-03-30 21:15 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-30 21:15 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-30 21:15 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-30 21:15 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-30 21:15 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-30 21:14 . 2008-03-30 21:15 <DIR> d-------- C:\Program Files\Nokia
2008-03-30 21:12 . 2008-03-30 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-27 12:03 . 2008-03-27 12:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVS4YOU
2008-03-27 12:03 . 2008-03-27 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-27 12:02 . 2008-03-27 12:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-03-27 12:02 . 2008-03-27 12:03 <DIR> d-------- C:\Program Files\AVS4YOU
2008-03-26 21:45 . 2008-03-29 08:49 <DIR> d-------- C:\Program Files\iTunes
2008-03-25 16:11 . 2008-03-25 16:12 <DIR> d-------- C:\NEO_DVD
2008-03-08 17:31 . 2008-03-08 17:31 <DIR> d-------- C:\Program Files\GetData
2008-03-08 17:31 . 2008-03-25 16:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-07 16:47 . 2008-03-07 16:53 <DIR> d-------- C:\WALKOFF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 14:15 6,500 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-04-02 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-01 11:25 --------- d-----w C:\Program Files\Check Printing Software 2000 V2.0
2008-03-31 20:57 --------- d-----w C:\Program Files\QuickTime
2008-03-29 13:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-29 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-27 02:45 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-03-27 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-25 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-12 08:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-19 02:05 --------- d-----w C:\Program Files\McAfee
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2006-05-22 23:30 591 ----a-w C:\Documents and Settings\HP_Administrator\DMOrganizer.dat
2005-11-06 18:28 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
.

((((((((((((((((((((((((((((( [email protected]_10.49.55.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-04 14:27:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-04 19:06:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-04 14:27:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-04 19:06:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-03-30 09:25 204843]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2008-03-30 09:25 4662776]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-04-02 14:25 7173360]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-31 16:37 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-03-30 09:25 582992]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-30 09:25 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2008-03-30 09:25 4662776]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"msacm.ac3acm"= AC3ACM.acm
"vidc.dvsd"= mcdvd_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
backup=C:\WINDOWS\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 08:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 19:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-09 16:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 05:01 90112 c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 16:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 02:12 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-11-09 12:29 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 18:35 49152 c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 19:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 16:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 16:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 20:34 5354792 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 15:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-30 09:25 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 18:14 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2004-12-13 22:23 663552 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
--a------ 2004-09-17 03:45 118784 C:\Program Files\MySoftware\MyInvoices\tracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-03-30 09:25 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-03-31 14:42]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 11:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 13:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 14:26]
R2 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [2001-08-15 06:43]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2005-12-28 12:46]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2005-12-28 12:47]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2005-12-28 12:47]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2005-12-28 12:48]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2005-12-28 12:49]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys []
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S4 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b042c90c-1cf8-11dc-aac7-0016172e4c35}]
\Shell\AutoRun\command - L:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 16:14:55 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-04-04 21:45:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-15 06:26:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-03-01 07:00:13 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 17:07:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-04 17:09:48
ComboFix-quarantined-files.txt 2008-04-04 22:09:43
ComboFix2.txt 2008-04-04 19:45:40
ComboFix3.txt 2008-04-04 15:50:10
Pre-Run: 113,272,692,736 bytes free
Post-Run: 113,246,949,376 bytes free
.
2008-03-12 08:03:15 --- E O F ---
  • 0

#8
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
i finally found the hijack file to download it, lol here is the report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:17 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/card-games
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgall..._1/axhomepr.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.98
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - C:\PROGRA~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://myspace-539.v...944385539_m.gif

--
End of file - 9410 bytes
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Did you see the warning in my previous post ?

NOTE WELL

The following files are infected and I would recommend uninstalling the programmes, then re-install a fresh copy

C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe


A final registry cleaning and stray file removal run now :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : MBAM and a new Hijackthis log
  • 0

#10
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
here are the 2 reports requested. i did get the memo to delete and reinstall the files you listed, however i'm not sure if you mean to remove the entire program or just that part of it, and if it's the entire program should i do that in the add/remove program section or just delete it in windows explorer? thanks so much for your help, you are such a blessing


Malwarebytes' Anti-Malware 1.10
Database version: 592

Scan type: Quick Scan
Objects scanned: 37617
Time elapsed: 27 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 49
Files Infected: 1384

Memory Processes Infected:
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6743c36c-cbfe-11db-9705-005056c00008} (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{6743c36c-cbfe-11db-9705-005056c00008} (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5b4016981c40d5f4b9925ed64ad7b526 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\70b07021d02a5e347a162b223ea41cd5 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\a30d1592adaa3d743884b8318328ad99 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\a491438a809f60f458df33e67c80a5d2 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\bf91bd5c23255be4c8550acdf0f2ee89 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\cb6591e4426ef2b49aee7437e1144918 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\e326614894984a1468ca53b7dfcf99a5 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\FilterDrv\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-56-18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-10-42-13 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-10-43-43 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-19-25-34 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-22-48-20 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\04-04-2008-08-16-08 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\04-04-2008-11-19-42 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\04-04-2008-17-28-45 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\04-04-2008-18-52-05 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\05-04-2008-07-00-41 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\159.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\160.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\163.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\191.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\192.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\193.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\200.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\203.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\204.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\205.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\206.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\207.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\355.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\434.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\438.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\439.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\440.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\442.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\445.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\454.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\462.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\472.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\479.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\481.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\482.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\483.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\539.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\545.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\547.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\553.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\558.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Installer\{B94DE948-AAF7-48F3-AA8B-1FF399FD8EC9}\Icon.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.url (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\DataBase.ref (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Difxapi.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\vistaCPtasks.xml (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.amd64.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.cat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.inf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.x86.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\AdwareAlert on the Web.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Log\2008 Apr 04 - 05_24_30 PM_187.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Log\2008 Apr 04 - 11_14_55 AM_171.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Log\2008 Apr 05 - 03_00_00 AM_811.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Log\2008 Apr 05 - 03_00_01 AM_296.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\0.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\0.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\1.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\1.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\10.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\10.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\100.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\100.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\101.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\101.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\102.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\102.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\103.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\103.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\104.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\104.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\105.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\105.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\106.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\106.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\107.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\107.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\108.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\108.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\109.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\109.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\11.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\11.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\110.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\110.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\111.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\111.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\112.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\112.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\113.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\113.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\114.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\114.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\115.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\115.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\116.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\116.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\117.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\117.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\118.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\118.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\119.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\119.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\12.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\12.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\120.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\120.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\121.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\121.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\122.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\122.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\123.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\123.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\124.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\124.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\125.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\125.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\126.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\126.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\127.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\127.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\128.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\128.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\129.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\129.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\13.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\13.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\130.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\130.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\131.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\131.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\132.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\132.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\133.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\133.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\134.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\134.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\135.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\135.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\136.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\136.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\137.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\137.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\138.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\138.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\139.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\139.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\14.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\14.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\140.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\140.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\141.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\141.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\142.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\142.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\143.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\143.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\144.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\144.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\145.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\145.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\146.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\146.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\147.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\147.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\148.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\148.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\149.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\149.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\15.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\15.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\150.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\150.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\151.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\151.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\152.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\152.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\153.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\153.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\154.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\154.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\155.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\155.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\156.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\156.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\157.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\157.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\158.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\158.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\159.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\16.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\16.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\160.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\161.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\161.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\162.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\162.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\163.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\164.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\164.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\165.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\165.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\166.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\166.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\167.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\167.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\168.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\168.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\169.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\169.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\17.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\17.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\170.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\170.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\171.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\171.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\172.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\172.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\173.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\173.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\174.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\174.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\175.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\175.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\176.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\176.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\177.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\177.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\178.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\178.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\179.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\179.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\18.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\18.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\180.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\180.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\181.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\181.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\182.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\182.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\183.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\183.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\184.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\184.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\185.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\185.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\186.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\186.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\187.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\187.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\188.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\188.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\189.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\189.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\19.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\19.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\190.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\190.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\191.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\192.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\193.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\194.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\194.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\195.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\195.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\196.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\196.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\197.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\197.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\Quarantine\03-04-2008-09-47-55\198.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AdwareAlert\
  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Well that took out a rogue spyware I did not see

however i'm not sure if you mean to remove the entire program or just that part of it, and if it's the entire program should i do that in the add/remove program section or just delete it in windows explorer?

Uninstall via Add/Remove - but do thise while you are off line as your antivirus is corrupted until you re-install it
Programmes to uninstal : McAfee, QuickTime, IncrediMail, Yahoo! messenger, Nokia PC Suite 6

Now lets chase the final files down

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#12
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
Attached File  OTScanIt.Txt   196.46KB   54 downloads
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks much better now :)

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {942EFF30-F610-413E-854B-DDDEA0E78A1E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-3491572929-91449903-3684209667-1008\] > -> HKEY_USERS\S-1-5-21-3491572929-91449903-3684209667-1008\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {942EFF30-F610-413E-854B-DDDEA0E78A1E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 90 days]
NY -> adwarealert.sys -> %SystemRoot%\System32\drivers\adwarealert.sys
NY -> AdwareAlert Scheduled Scan.job -> %SystemRoot%\tasks\AdwareAlert Scheduled Scan.job
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\Application Data\TEMP:AC6124CA
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\ManualPatch.exe:Zone.Identifier
NY -> pc.exe -> %UserProfile%\My Documents\pc.exe
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\pc.exe:Zone.Identifier
NY -> sehw.zip -> %UserProfile%\My Documents\sehw.zip
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\sehw.zip:Zone.Identifier
NY -> sems.zip -> %UserProfile%\My Documents\sems.zip
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\sems.zip:Zone.Identifier
[Files/Folders - Modified Within 90 days]
NY -> adwarealert.sys -> %SystemRoot%\System32\drivers\adwarealert.sys
NY -> AdwareAlert Scheduled Scan.job -> %SystemRoot%\tasks\AdwareAlert Scheduled Scan.job
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> pc.exe -> %UserProfile%\My Documents\pc.exe
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\pc.exe:Zone.Identifier
NY -> sehw.zip -> %UserProfile%\My Documents\sehw.zip
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\sehw.zip:Zone.Identifier
NY -> sems.zip -> %UserProfile%\My Documents\sems.zip
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\sems.zip:Zone.Identifier
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Logs required : OTScanit report and a new Hijackthis - plus how is your computer running now ?
  • 0

#14
melint

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
i ran the otscan you asked for, it prompted me with a message that it needed to restart to finish removing additional files, i clicked yes it rebooted but no report ever came up. i don't know where to find it. also my pc seems to be always doing something (it makes the sound of working) and the light flickers constantly as if it's busy. i uninstalled the programs you told me to and reinstalled them. please check to see if that fixed that problem. here is the hijack log, should i redo the otscan? thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:06 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/card-games
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgall..._1/axhomepr.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.98
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - C:\PROGRA~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX
O23 - Service: McAfee Application Installer Cleanup (0263751207452729) (0263751207452729mcinstcleanup) - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\026375~1.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://myspace-539.v...944385539_m.gif

--
End of file - 9111 bytes
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No the OTScan will have worked - It looks like just one more infection to clear :)

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP