Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Doubleclick and ATMDT[RESOLVED]


  • This topic is locked This topic is locked

#1
CWC

CWC

    Member

  • Member
  • PipPip
  • 13 posts
I keep getting the same parasites over and over - Doubleclick and ATMDT. Whenever I delete them, they end up coming right back (along with some new ones). I have no idea what I'm doing. Help!




Log Contents provided by Enigma Software Group, Inc.
###########################Runnning Processes DATA###########################
processName = SMSS.EXE File Size = 50688 File Path = \SystemRoot\System32\smss.exe ModuleMD5 = bd7fb0957c716f1a60333aee04de2178
processName = WINLOGON.EXE File Size = 502272 File Path = \??\C:\WINDOWS\system32\winlogon.exe ModuleMD5 = 01c3346c241652f43aed8e2149881bfe
processName = SERVICES.EXE File Size = 108032 File Path = C:\WINDOWS\system32\services.exe ModuleMD5 = c6ce6eec82f187615d1002bb3bb50ed4
processName = LSASS.EXE File Size = 13312 File Path = C:\WINDOWS\system32\lsass.exe ModuleMD5 = 84885f9b82f4d55c6146ebf6065d75d2
processName = SVCHOST.EXE File Size = 14336 File Path = C:\WINDOWS\system32\svchost.exe ModuleMD5 = 8f078ae4ed187aaabc0a305146de6716
processName = SVCHOST.EXE File Size = 14336 File Path = C:\WINDOWS\System32\svchost.exe ModuleMD5 = 8f078ae4ed187aaabc0a305146de6716
processName = SPOOLSV.EXE File Size = 57856 File Path = C:\WINDOWS\system32\spoolsv.exe ModuleMD5 = 7435b108b935e42ea92ca94f59c8e717
processName = EXPLORER.EXE File Size = 1032192 File Path = C:\WINDOWS\Explorer.EXE ModuleMD5 = a0732187050030ae399b241436565e64
processName = AVGAMSVR.EXE File Size = 329728 File Path = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe ModuleMD5 = a98cfcb4b47be1abef98c903a6aa873e
processName = AVGUPSVC.EXE File Size = 70144 File Path = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe ModuleMD5 = 64bd967bd30437f32a658e09b04c967a
processName = MDM.EXE File Size = 270336 File Path = C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe ModuleMD5 = e8d95f6d3781648a27cc0c4ddb028ccd
processName = NVSVC32.EXE File Size = 57344 File Path = C:\WINDOWS\System32\nvsvc32.exe ModuleMD5 = cc7442ff55501a2325e8394b966f0eb7
processName = SVCHOST.EXE File Size = 14336 File Path = C:\WINDOWS\System32\svchost.exe ModuleMD5 = 8f078ae4ed187aaabc0a305146de6716
processName = VSMON.EXE File Size = 922720 File Path = C:\WINDOWS\system32\ZONELABS\vsmon.exe ModuleMD5 = 75f8818a2e154159dafde5538d692635
processName = RUNDLL32.EXE File Size = 33280 File Path = C:\WINDOWS\system32\RUNDLL32.EXE ModuleMD5 = da285490bbd8a1d0ce6623577d5ba1ff
processName = ITOUCH.EXE File Size = 200704 File Path = C:\Program Files\Logitech\iTouch\iTouch.exe ModuleMD5 = c98a7eb49cbc98aa18ac6263848ae730
processName = REALPLAY.EXE File Size = 26112 File Path = C:\Program Files\Real\RealPlayer\RealPlay.exe ModuleMD5 = 849d97fe4cc09cfc2772d10f641e1baf
processName = ONETOUCHMON.EXE File Size = 86016 File Path = C:\Program Files\Visioneer OneTouch\OneTouchMon.exe ModuleMD5 = 5f222c25f7b4f8cdcc2fa71adcca44eb
processName = HPQCMON.EXE File Size = 90112 File Path = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe ModuleMD5 = c0de87745c950f2966394837c3683ae5
processName = HPGS2WND.EXE File Size = 69632 File Path = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe ModuleMD5 = d5bc63d2822b8e244e53d2ff8078cc6b
processName = AVGCC.EXE File Size = 347136 File Path = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe ModuleMD5 = 7f0c2657b39969d424b6604443992352
processName = AVGEMC.EXE File Size = 271872 File Path = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe ModuleMD5 = af9354bef717bd60e04f5bf5b9c9eaa2
processName = JUSCHED.EXE File Size = 36975 File Path = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe ModuleMD5 = 1f6573d67dd5dc06dd29ec7fcf81dc6f
processName = GCASSERV.EXE File Size = 473920 File Path = C:\Program Files\Microsoft AntiSpyware\gcasServ.exe ModuleMD5 = e519945deb3875341d36db0ea141e0c5
processName = PPWEBCAP.EXE File Size = 43008 File Path = C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe ModuleMD5 = 63bba881851b9ebd1c190484f4ac15ab
processName = CTFMON.EXE File Size = 15360 File Path = C:\WINDOWS\system32\ctfmon.exe ModuleMD5 = 24232996a38c0b0cf151c2140ae29fc8
processName = MOZILLA.EXE File Size = 146560 File Path = C:\Program Files\mozilla.org\Mozilla\Mozilla.exe ModuleMD5 = ee4bd66bb7e0e4b031c77110fbedbea9
processName = QWDLLS.EXE File Size = 27136 File Path = C:\QUICKENW\QWDLLS.EXE ModuleMD5 = 8cf7fb08725b9c8717c435eb4e0d37f9
processName = ZONEALARM.EXE File Size = 623720 File Path = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe ModuleMD5 = b8c10fee5a526c95377a355df650f141
processName = WKCALREM.EXE File Size = 24633 File Path = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe ModuleMD5 = 7084b58a098d2f83b304832251a8c6a8
processName = WZQKPICK.EXE File Size = 118784 File Path = C:\Program Files\WinZip\WZQKPICK.EXE ModuleMD5 = bb272e4a58c563ebf40f8cb1173da1da
processName = ACROTRAY.EXE File Size = 217193 File Path = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe ModuleMD5 = 78bfe3201ada2fe02d1e35d2488e5f55
processName = SPYSUB.EXE File Size = 1183744 File Path = C:\Program Files\InterMute\SpySubtract\SpySub.exe ModuleMD5 = fb0ef9576dc64c3a7e25d56cb4aafdca
processName = DING.EXE File Size = 339968 File Path = C:\Program Files\Southwest Airlines\Ding\Ding.exe ModuleMD5 = edc16dd6dc38d0bcd0542afaf4123e1c
processName = HPGS2WNF.EXE File Size = 77824 File Path = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe ModuleMD5 = 59380d1808a83aa4150f550f45bee3a9
processName = GCASDTSERV.EXE File Size = 752456 File Path = C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe ModuleMD5 = ebb4d674ec5c5b34ef8a1ba14676de8e
processName = SPYHUNTER.EXE File Size = 2469888 File Path = C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe ModuleMD5 = b0966fa7fbc70d83e6bdbf7257247bff
###########################REGISTRY MD5 DATA###########################
<HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN>
Name=NvCplDaemon Data=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize FileSize = 33280 MD5=
Name=zBrowser Launcher Data=C:\Program Files\Logitech\iTouch\iTouch.exe FileSize = 200704 MD5=c98a7eb49cbc98aa18ac6263848ae730
Name=EM_EXEC Data=C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE FileSize = MD5=********************************
Name=GWMDMpi Data=C:\WINDOWS\GWMDMpi.exe FileSize = 40960 MD5=3b35d632f30cf27ccf9bd78a8896ff88
Name=nwiz Data=nwiz.exe /install FileSize = 303104 MD5=
Name=WorksFUD Data=C:\Program Files\Microsoft Works\wkfud.exe FileSize = 24576 MD5=9d05d00e8631b7874d164d6dedd6d801
Name=Microsoft Works Portfolio Data=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers FileSize = 311350 MD5=98cb1b841fd1b0e12897352f18dddae1
Name=RealTray Data=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER FileSize = 26112 MD5=849d97fe4cc09cfc2772d10f641e1baf
Name=OneTouch Monitor Data=C:\Program Files\Visioneer OneTouch\OneTouchMon.exe FileSize = 86016 MD5=5f222c25f7b4f8cdcc2fa71adcca44eb
Name=CamMonitor Data=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe FileSize = 90112 MD5=c0de87745c950f2966394837c3683ae5
Name=Share-to-Web Namespace Daemon Data=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe FileSize = 69632 MD5=d5bc63d2822b8e244e53d2ff8078cc6b
Name=AVG7_CC Data=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP FileSize = 347136 MD5=7f0c2657b39969d424b6604443992352
Name=AVG7_EMC Data=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe FileSize = 271872 MD5=af9354bef717bd60e04f5bf5b9c9eaa2
Name=SunJavaUpdateSched Data=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe FileSize = 36975 MD5=1f6573d67dd5dc06dd29ec7fcf81dc6f
Name=gcasServ Data="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" FileSize = 473920 MD5=e519945deb3875341d36db0ea141e0c5
Name=SpyHunter Data=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
FileSize = 2469888 MD5=b0966fa7fbc70d83e6bdbf7257247bff
<HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX>
<HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE>
<HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN>
Name=PPWebCap Data=C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe FileSize = 43008 MD5=63bba881851b9ebd1c190484f4ac15ab
Name=ctfmon.exe Data=C:\WINDOWS\system32\ctfmon.exe FileSize = 15360 MD5=24232996a38c0b0cf151c2140ae29fc8
Name=HXIUL.EXE Data=C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE FileSize = MD5=********************************
Name=Mozilla Quick Launch Data="C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
FileSize = 146560 MD5=ee4bd66bb7e0e4b031c77110fbedbea9
<HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE>
<HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN>
Name=AVG7_Run Data=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
FileSize = 148992 MD5=2c0e9fe0586174df26ed886133f37c06
<HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE>
Name=RunNarrator Data=Narrator.exe
FileSize = 53760 MD5=
#############################FILE MD5 DATA#############################
<C:\Documents and Settings\Owner\Start Menu\Programs\Startup>
File Path = C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini File Size = 16384 md5=d6a6856702e3f0953e7246a9b4a9fe35
#############################SERVICES DATA#############################
Service Name = ALG Service Display Name = Application Layer Gateway Service Opened = YES Status = Running Query = SUCCESS Service Type = 16 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\alg.exe Binary Size = 44544 Binary MD5 = f1958fbf86d5c004cf19a5951a9514b7
Service Name = AudioSrv Service Display Name = Windows Audio Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = Avg7Alrt Service Display Name = AVG7 Alert Manager Server Opened = YES Status = Running Query = SUCCESS Service Type = 272 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe Binary Size = 329728 Binary MD5 = a98cfcb4b47be1abef98c903a6aa873e
Service Name = Avg7UpdSvc Service Display Name = AVG7 Update Service Opened = YES Status = Running Query = SUCCESS Service Type = 16 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe Binary Size = 70144 Binary MD5 = 64bd967bd30437f32a658e09b04c967a
Service Name = BITS Service Display Name = Background Intelligent Transfer Service Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = CryptSvc Service Display Name = Cryptographic Services Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = DcomLaunch Service Display Name = DCOM Server Process Launcher Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\svchost -k DcomLaunch Binary Size = 0 Binary MD5 =
Service Name = Dhcp Service Display Name = DHCP Client Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = Dnscache Service Display Name = DNS Client Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k NetworkService Binary Size = 0 Binary MD5 =
Service Name = ERSvc Service Display Name = Error Reporting Service Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 0 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = Eventlog Service Display Name = Event Log Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\services.exe Binary Size = 108032 Binary MD5 = c6ce6eec82f187615d1002bb3bb50ed4
Service Name = EventSystem Service Display Name = COM+ Event System Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = FastUserSwitchingCompatibility Service Display Name = Fast User Switching Compatibility Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = helpsvc Service Display Name = Help and Support Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = lanmanserver Service Display Name = Server Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = lanmanworkstation Service Display Name = Workstation Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = LmHosts Service Display Name = TCP/IP NetBIOS Helper Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k LocalService Binary Size = 0 Binary MD5 =
Service Name = MDM Service Display Name = Machine Debug Manager Opened = YES Status = Running Query = SUCCESS Service Type = 272 Service Start Type = 2 Service Error Control = 1 Service Binary Path = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" Binary Size = 0 Binary MD5 =
Service Name = Netman Service Display Name = Network Connections Opened = YES Status = Running Query = SUCCESS Service Type = 288 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = Nla Service Display Name = Network Location Awareness (NLA) Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = NVSvc Service Display Name = NVIDIA Driver Helper Service Opened = YES Status = Running Query = SUCCESS Service Type = 16 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\nvsvc32.exe Binary Size = 57344 Binary MD5 = cc7442ff55501a2325e8394b966f0eb7
Service Name = PlugPlay Service Display Name = Plug and Play Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\services.exe Binary Size = 108032 Binary MD5 = c6ce6eec82f187615d1002bb3bb50ed4
Service Name = PolicyAgent Service Display Name = IPSEC Services Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\lsass.exe Binary Size = 13312 Binary MD5 = 84885f9b82f4d55c6146ebf6065d75d2
Service Name = ProtectedStorage Service Display Name = Protected Storage Opened = YES Status = Running Query = SUCCESS Service Type = 288 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\lsass.exe Binary Size = 13312 Binary MD5 = 84885f9b82f4d55c6146ebf6065d75d2
Service Name = RasMan Service Display Name = Remote Access Connection Manager Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = RpcSs Service Display Name = Remote Procedure Call (RPC) Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\svchost -k rpcss Binary Size = 0 Binary MD5 =
Service Name = SamSs Service Display Name = Security Accounts Manager Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\lsass.exe Binary Size = 13312 Binary MD5 = 84885f9b82f4d55c6146ebf6065d75d2
Service Name = Schedule Service Display Name = Task Scheduler Opened = YES Status = Running Query = SUCCESS Service Type = 288 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = seclogon Service Display Name = Secondary Logon Opened = YES Status = Running Query = SUCCESS Service Type = 288 Service Start Type = 2 Service Error Control = 0 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = SENS Service Display Name = System Event Notification Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = SharedAccess Service Display Name = Windows Firewall/Internet Connection Sharing (ICS) Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = ShellHWDetection Service Display Name = Shell Hardware Detection Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 0 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = Spooler Service Display Name = Print Spooler Opened = YES Status = Running Query = SUCCESS Service Type = 272 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\spoolsv.exe Binary Size = 57856 Binary MD5 = 7435b108b935e42ea92ca94f59c8e717
Service Name = srservice Service Display Name = System Restore Service Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = SSDPSRV Service Display Name = SSDP Discovery Service Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k LocalService Binary Size = 0 Binary MD5 =
Service Name = stisvc Service Display Name = Windows Image Acquisition (WIA) Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k imgsvc Binary Size = 0 Binary MD5 =
Service Name = TapiSrv Service Display Name = Telephony Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = TermService Service Display Name = Terminal Services Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 3 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost -k DComLaunch Binary Size = 0 Binary MD5 =
Service Name = Themes Service Display Name = Themes Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = TrkWks Service Display Name = Distributed Link Tracking Client Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = vsmon Service Display Name = TrueVector Internet Monitor Opened = YES Status = Running Query = SUCCESS Service Type = 272 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\ZONELABS\vsmon.exe -service Binary Size = 0 Binary MD5 =
Service Name = W32Time Service Display Name = Windows Time Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = WebClient Service Display Name = WebClient Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k LocalService Binary Size = 0 Binary MD5 =
Service Name = winmgmt Service Display Name = Windows Management Instrumentation Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 0 Service Binary Path = C:\WINDOWS\system32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = wscsvc Service Display Name = Security Center Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = wuauserv Service Display Name = Automatic Updates Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\system32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
Service Name = WZCSVC Service Display Name = Wireless Zero Configuration Opened = YES Status = Running Query = SUCCESS Service Type = 32 Service Start Type = 2 Service Error Control = 1 Service Binary Path = C:\WINDOWS\System32\svchost.exe -k netsvcs Binary Size = 0 Binary MD5 =
#############################WINLOGON DATA#############################
<HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\NOTIFY>
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain Filepath = C:\WINDOWS\system32\crypt32.dll File Size = 597504 File MD5 = efc958396a7a7ef7e6d4a52b97512e18
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet Filepath = C:\WINDOWS\system32\cryptnet.dll File Size = 63488 File MD5 = cad4aa32e7eca00c23cc39c0eb833f9d
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll Filepath = C:\WINDOWS\system32\cscdll.dll File Size = 101888 File MD5 = 587729679b4fe04ce06a5c61d6c56dcd
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp Filepath = C:\WINDOWS\system32\wlnotify.dll File Size = 92672 File MD5 = a599e5e366c1408e48aa5d37882d4e3e
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule Filepath = C:\WINDOWS\system32\wlnotify.dll File Size = 92672 File MD5 = a599e5e366c1408e48aa5d37882d4e3e
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy Filepath = C:\WINDOWS\system32\sclgntfy.dll File Size = 20992 File MD5 = d636fa41e50671160d838ea2dace3330
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn Filepath = C:\WINDOWS\system32\WlNotify.dll File Size = 92672 File MD5 = a599e5e366c1408e48aa5d37882d4e3e
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv Filepath = C:\WINDOWS\system32\wlnotify.dll File Size = 92672 File MD5 = a599e5e366c1408e48aa5d37882d4e3e
Subkey Name = Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon Filepath = C:\WINDOWS\system32\wlnotify.dll File Size = 92672 File MD5 = a599e5e366c1408e48aa5d37882d4e3e
##########################BROWSER ADD-ON DATA##########################
<HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar>
CLSID = {47833539-D0C5-4125-9FA8-0819E2EAAC93} FilePath = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll File Size = 147456 File MD5 = 44bcff08947790e74bd7cc7532d2b793 Description = 0
CLSID = {EF99BD32-C1FB-11D2-892F-0090271D4F88} FilePath = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll File Size = 292947 File MD5 = 15003f375140ffb2d2e0c5508857a2f1 Description = 0
<HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars>
CLSID = {182EC0BE-5110-49C8-A062-BEB1D02A220B} FilePath = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll File Size = 147456 File MD5 = 44bcff08947790e74bd7cc7532d2b793
CLSID = {4D5C8C25-D075-11d0-B416-00C04FB90376} FilePath = C:\WINDOWS\System32\shdocvw.dll File Size = 1483264 File MD5 = ae8ab1175327702d3a6f10dc122c254e
CLSID = {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} FilePath = C:\WINDOWS\System32\Shdocvw.dll File Size = 1483264 File MD5 = ae8ab1175327702d3a6f10dc122c254e
<HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars>
CLSID = {30D02401-6A81-11D0-8274-00C04FD5AE38} FilePath = C:\WINDOWS\System32\browseui.dll File Size = 1016832 File MD5 = 6eea72937f62376558bf8d693c296ab4
CLSID = {32683183-48a0-441b-a342-7c2a440a9478} FilePath = File Size = 0 File MD5 =
CLSID = {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} FilePath = C:\WINDOWS\system32\SHELL32.dll File Size = 8450048 File MD5 = 9833f278924d028414d7f89bfd4fc46b
CLSID = {EFA24E61-B078-11D0-89E4-00C04FC9E26E} FilePath = C:\WINDOWS\System32\shdocvw.dll File Size = 1483264 File MD5 = ae8ab1175327702d3a6f10dc122c254e
CLSID = {EFA24E64-B078-11D0-89E4-00C04FC9E26E} FilePath = C:\WINDOWS\System32\shdocvw.dll File Size = 1483264 File MD5 = ae8ab1175327702d3a6f10dc122c254e
<HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects>
CLSID = {02478D38-C3F9-4efb-9B51-7695ECA05670} FilePath = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll File Size = 292947 File MD5 = 15003f375140ffb2d2e0c5508857a2f1
CLSID = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} FilePath = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll File Size = 50376 File MD5 = 0c0e1b2bcaed8df401be94d538bcb412
CLSID = {53707962-6F74-2D53-2644-206D7942484F} FilePath = C:\PROGRA~1\SPYBOT~1\SDHelper.dll File Size = 744960 File MD5 = abf5ba518c6a5ed104496ff42d19ad88
CLSID = {AE7CD045-E861-484f-8273-0445EE161910} FilePath = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll File Size = 147456 File MD5 = 44bcff08947790e74bd7cc7532d2b793
<HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions>
CLSID = {08B0E5C0-4FCB-11CF-AAA5-00401C608501} FilePath = C:\WINDOWS\System32\msjava.dll File Size = 947472 File MD5 = e75aa32c6b79c846f5314ca4da92f29e
CLSID = {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} FilePath = File Size = 0 File MD5 =
CLSID = {FB5F1910-F110-11d2-BB9E-00C04F795683} FilePath = File Size = 0 File MD5 =
<HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions>
CLSID = CmdMapping FilePath = File Size = 0 File MD5 =
<HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks>
CLSID = {CFBFAE00-17A6-11D0-99CB-00C04FD64497} FilePath = C:\WINDOWS\System32\shdocvw.dll File Size = 1483264 File MD5 = ae8ab1175327702d3a6f10dc122c254e Description =
##########################LSP CHAIN DATA##########################
<HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WINSOCK2\PARAMETERS>
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 Filepath = C:\WINDOWS\system32\rsvpsp.dll File Size = 90112 File MD5 = 90491683abd587c702b16f181ab0d99d
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 Filepath = C:\WINDOWS\system32\rsvpsp.dll File Size = 90112 File MD5 = 90491683abd587c702b16f181ab0d99d
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
Sequence Num = SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 Filepath = C:\WINDOWS\system32\mswsock.dll File Size = 245248 File MD5 = 4e74af063c3271fbea20dd940cfd1184
##########################UNINSTALL DATA##########################
<HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL>
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 6 Personal DisplayName = Ad-aware 6 Personal
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe ActiveShare DisplayName = Adobe ActiveShare 1.2
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Photoshop 7.0.1 DisplayName = Adobe Photoshop 7.0.1 InstallLocation = C:\Program Files\Adobe\Photoshop 7.0
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\AdobeESD DisplayName = Adobe Download Manager 1.2 (Remove Only)
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\ASAPI Update DisplayName = ASAPI Update
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall DisplayName = AVG Free Edition
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Branding
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrix ICA Web Client DisplayName = Citrix ICA Web Client
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Corel WordPerfect Suite 8 DisplayName = Corel WordPerfect Suite 8
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\couponsandoffers.xml DisplayName = couponsandoffers
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\DAO 3.5 DisplayName = DAO 3.5
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\DP Editor 1.0 DisplayName = DP Editor Ver.1.0
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\EPSON Printer and Utilities DisplayName = EPSON Printer Software
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\expinst
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\FG_1.4 DisplayName = Jumpstart First Grade v1.4
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\GTW V.92 Voice Modem DisplayName = GTW V.92 Voice Modem
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis DisplayName = HijackThis 1.99.1
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\House Beautiful 3D Interior Designer DisplayName = House Beautiful 3D Interior Designer
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\hp instant support DisplayName = hp instant support
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\ICW
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\IEREADME
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{36EA01EE-12A5-44D3-8842-94E5CAF02629} DisplayName = Organizing & Labeling Design Software InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\InterActual Player DisplayName = InterActual Player
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB834707 DisplayName = Windows XP Hotfix - KB834707
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB867282 DisplayName = Windows XP Hotfix - KB867282
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB870669 DisplayName = Microsoft Data Access Components KB870669
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB873333 DisplayName = Windows XP Hotfix - KB873333
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB873339 DisplayName = Windows XP Hotfix - KB873339
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB884016
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB885250 DisplayName = Windows XP Hotfix - KB885250
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB885835 DisplayName = Windows XP Hotfix - KB885835
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB885836 DisplayName = Windows XP Hotfix - KB885836
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB885884 DisplayName = Windows XP Hotfix - KB885884
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB886185 DisplayName = Windows XP Hotfix - KB886185
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB887472 DisplayName = Windows XP Hotfix - KB887472
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB887742 DisplayName = Windows XP Hotfix - KB887742
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB888113 DisplayName = Windows XP Hotfix - KB888113
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB888302 DisplayName = Windows XP Hotfix - KB888302
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB890047 DisplayName = Windows XP Hotfix - KB890047
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB890175 DisplayName = Windows XP Hotfix - KB890175
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB890859 DisplayName = Windows XP Hotfix - KB890859
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB890923 DisplayName = Windows XP Hotfix - KB890923
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB891781 DisplayName = Windows XP Hotfix - KB891781
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB893066 DisplayName = Windows XP Hotfix - KB893066
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB893086 DisplayName = Windows XP Hotfix - KB893086
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\KB893803 DisplayName = Windows Installer 3.1 (KB893803)
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Leap Ahead Phonics Ages 4-7 DisplayName = Leap Ahead Phonics Ages 4-7
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg DisplayName = LiveReg (Symantec Corporation) InstallLocation = C:\Program Files\Common Files\Symantec Shared\LiveReg
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate DisplayName = LiveUpdate 2.5 (Symantec Corporation) InstallLocation = C:\Program Files\Symantec\LiveUpdate
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Macromedia Shockwave Player DisplayName = Macromedia Shockwave Player
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Interactive Training
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Press Interactive Training DisplayName = Microsoft Interactive Training
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla (1.6) DisplayName = Mozilla (1.6)
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.0.3) DisplayName = Mozilla Firefox (1.0.3) InstallLocation = C:\Program Files\Mozilla Firefox
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\NVIDIA DisplayName = NVIDIA Windows 2000/XP Display Drivers
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\OneTouch Version 3.0 DisplayName = OneTouch Version 3.0
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\PaperPort 7.02 DisplayName = PaperPort 7.02
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\PrintMaster Gold 3.00 DisplayName = PrintMaster Gold 3.00
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\PROSet DisplayName = Intel® PRO Network Adapters and Drivers
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Quicken Deluxe 99 DisplayName = Quicken Deluxe 99
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickTime DisplayName = QuickTime
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickTime32 DisplayName = QuickTime for Windows (32-bit)
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\RealPlayer 6.0 DisplayName = RealPlayer Basic
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\RSX2Uninst DisplayName = Intel RSX 3D
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave DisplayName = Shockwave
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1 DisplayName = Spybot - Search & Destroy 1.3
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract DisplayName = SpySubtract InstallLocation = c:\Program Files\InterMute\SpySubtract
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Tweak UI 2.10 DisplayName = Tweak UI
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\USB Driver Vers. 3.1 DisplayName = USB Driver Vers. 3.1
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer DisplayName = Viewpoint Media Player (Remove Only)
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Virtual Makeover DisplayName = Virtual Makeover
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\WebJet DisplayName = WebJet
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\WebPost DisplayName = Microsoft Web Publishing Wizard 1.52
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\websearch_cao.xml DisplayName = Web Search
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\WebWasher DisplayName = WebWasher
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows XP Service Pack DisplayName = Windows XP Service Pack 2
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\WinZip DisplayName = WinZip InstallLocation = C:\PROGRA~1\WINZIP\
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion DisplayName = Yahoo! Toolbar
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm DisplayName = ZoneAlarm
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{036AA4D4-6D32-11D4-9875-00105ACE7734} DisplayName = Logitech iTouch Software
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{08082022-2a50-4196-8196-a6f86d6e8f12}
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{2b02f822-a9b9-458c-80e5-3ea8c0de8471} DisplayName = QuickBooks Pro Edition 2004
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471}
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150010} DisplayName = J2SE Runtime Environment 5.0 Update 1 InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150020} DisplayName = J2SE Runtime Environment 5.0 Update 2 InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} DisplayName = WebFldrs XP InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{36EA01EE-12A5-44D3-8842-94E5CAF02629} DisplayName = Organizing & Labeling Design Software InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{3DD1FE66-5536-41E3-B786-70068887B3F4} DisplayName = The Print Shop 12
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{536F7C74-844B-4683-B0C5-EA39E19A6FE3} DisplayName = Microsoft AntiSpyware InstallLocation = C:\Program Files\Microsoft AntiSpyware\
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{561E3EDF-BB99-417D-87B1-952E7A46DB4B} DisplayName = American Tradition® Signature Colors™ Virtual Painter InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{5809E7CF-4DCF-11D4-9875-00105ACE7734} DisplayName = Logitech MouseWare 9.41 .2
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1} DisplayName = PowerDVD
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{84031A18-BA9A-4156-A74F-E05B52DDFCE2} DisplayName = DING! InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{854A5F01-D692-11D4-A984-009027EC0A9C}
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{91110409-6000-11D3-8CFE-0050048383C9} DisplayName = Microsoft Office XP Professional InstallLocation = INSTALLLOCATION
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{945E2519-C2B9-11D3-9D56-0060B0A4823E}
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{9984DF60-1C5B-11D3-ACA1-908A4FC10801} DisplayName = Intel Ultra ATA Storage Driver
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{A023A2D1-8BD3-4B3D-8077-CD9DDA489CB5} DisplayName = HP Photo and Imaging 2.0 - Photosmart Cameras InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-1033-0000-7760-000000000001} DisplayName = Adobe Acrobat 6.0 Professional InstallLocation = C:\Program Files\Adobe\Acrobat 6.0\
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7646-A00000000001} DisplayName = Adobe Reader 6.0.1 InstallLocation = C:\Program Files\Adobe\Acrobat 6.0\Reader\
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{B376402D-58EA-45EA-BD50-DD924EB67A70} DisplayName = HP Memories Disc InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{CD47EFC1-D692-11D4-A984-009027EC0A9C}
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{E2B5C27E-5937-4F44-84F8-0104D1FF1C0B} DisplayName = green label Calendars
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{EE5B8E34-973C-4FBE-AC83-99F064009FC7} DisplayName = SpyHunter InstallLocation = C:\Program Files\Enigma Software Group\SpyHunter
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0A37341-D692-11D4-A984-009027EC0A9C} DisplayName = SoundMAX
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{F8D0829C-9C6F-11D3-8080-00C04FA329AA} DisplayName = Microsoft Works 6.0 InstallLocation =
Subkey Name = Software\Microsoft\Windows\CurrentVersion\Uninstall\{FB10FE1A-9906-44A1-B8AB-B70B19FEAB58} DisplayName = Microsoft Picture It! Express 2001 InstallLocation = INSTALLDIR









Logfile of HijackThis v1.99.1
Scan saved at 6:07:42 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello and welcome to GTG

If you’re still looking to resolve this issue, please run through the steps outlined in this Topic

If that doesn’t cure your problem, please post back a fresh HijackThis log when done.

If, however, you have resolved this issue please let us know.
  • 0

#3
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Morning,
I went through everything you suggested and unfortunately it didn't get rid of my problem. Here's my new Hijackthis log (and I appreciate all of your help) :

Logfile of HijackThis v1.99.1
Scan saved at 9:47:10 AM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WebJet.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17....ex/HMAtchmt.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again CWC

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and choose shutdown Microsoft Antispyware

Please do the same for SpySubtract for the same reason. I am not familiar with the programme, but there will be an option to unload it from the startup.

Also note, that having two antispyware programmes running in real time is not good. I strongly suggest that you only have one running in real time and that you use the other for “on-demand” scans.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Hoster

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE
O4 - Global Startup: WebJet.lnk = ?
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Coupons and Offers (Websearch)

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Alset\
C:\Program Files\websearch\

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and I will take another look.
  • 0

#5
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Phil,
I'm still having problems. I didn't get through all of your instructions like I should have. I think I did okay until I got down to:
"Please re-open HiJackThis and scan. Check the boxes next to all the entries
listed below."
When I got to "Fix Checked," this is what I got: "Unexpected error occurred. Error #52 (Bad file name or number) in Sub GetlongPath (?,exe)."
Then when I tried to reboot in safe mode, I couldn't figure it out. Other than Hard Drive, my options were: Removable Dev., ATAP1 CD-Rom and IBA 4.0.19 Slot 0208.
Then I made an attempt at the rest of the instructions but am not sure what happened. When I tried to get into a website on Firefox, I noticed across the bottom of the screen that ATMDT is still there.
I appreciate any and all help you can give me. Thanks!
Carolyn





Logfile of HijackThis v1.99.1
Scan saved at 12:13:44 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Documents and Settings\Owner\Desktop\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WebJet.lnk = ?
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17....ex/HMAtchmt.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Carolyn

I am having trouble understanding this.

The safe mode step is normally very simple, but having seen someone recently having to resort to drastic measures, I am unwilling to give further instructions on an alternative method.

It sounds to me like you have something very wrong with your operating system and I think that should be the focus of your attention.

Since you've had this "Unexpected error occurred. Error #52 (Bad file name or number) in Sub GetlongPath (?,exe).", when attempting to run HJT, I thought it might be worth just checking over your system files. You'll be glad to hear that there is an automated way in which to do this.

Here's what you do to run the system file checker. Open a command prompt (Start -> Run - type CMD and hit enter). Type in SFC /SCANNOW (note the space after SFC) and hit enter. You'll need your XP disc handy.

This will check all your system files and replace any which are different from the original Microsoft versions.
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Carolyn

Following some chats with colleagues about this error message, we believe we can move forward by adjusting the fix slightly, which is below.

Also, the screen you describe on attempting to go into safe mode sounds like the opening page of the BIOS, basic input and output system. For that reason, I am going to give you further instructions on entering safe mode in another way. We choose safe mode because only basic drivers load up, but it may be possible to effect the fix without it, but it becomes more complex.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and choose shutdown Microsoft Antispyware

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode. If this method fails, please refer to this link safe Mode

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Coupons and Offers (Websearch)

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Alset\
C:\Program Files\websearch\

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and I will take another look.
  • 0

#8
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Phil
I think I messed everything up again. Before I got your message, I went ahead and completely restored my hard drive with my restore disks. It seems to be working better but I still see the ATDMT or ATDMT (can't remember how it's spelled). Anyway, here's my latest Hijackthis log. Thanks so much. - Carolyn

Logfile of HijackThis v1.99.1
Scan saved at 1:16:10 AM, on 5/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HiJackThis\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Carolyn

I am sorry that you felt it was necessary to do a system restore, however, now that you have there are some things that you must do.

You must get protected by visiting the windows update site and downloading the security patches as advised. But looking at you HJT log, there are just two items which are unusual.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

The 014 setting is resetting your internet explorer to the R1 site.

I really don't know what ATDMT is, and I was looking forward to finding out.

I'll leave the thread open to give you a chance to download the security patches and post a fresh HJT log afterwards.
  • 0

#10
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Phil,
Couldyou Please leave this post open until next weekend? I'm going out of town in about an hour but I want to make the necessary adjustments and then run a Hijackthis and send it to you. Oh, and I've still got that [bleep] doubleclick! Thanks for all the time you put into this, and I'll e-mail you when I get back if the post is still open. Thanks again :tazz:
Carolyn
  • 0

Advertisements


#11
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Phil,
this is my current hijack this log. Do you see any problems? Thanks - Carolyn



Logfile of HijackThis v1.99.1
Scan saved at 10:35:42 PM, on 5/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\DOCUMENTS AND SETTINGS\C CAMPBELL\DESKTOP\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Carolyn

There is nothing malicious in your log, however, my previous advice is the same:

You must get protected by visiting the windows update site and downloading the security patches as advised. Without them you will be infected within minutes of surfing.

Looking at you HJT log, there are just two items which are unusual.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

I would run HijackThis again, close all other programmes, put a check mark next to those two items and click on Fix Checked, and then reboot.

Post a fresh HJT log and I'll take another look.
  • 0

#13
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Phil,
I think I did everything you suggested. Here's my latest log:


Logfile of HijackThis v1.99.1
Scan saved at 9:52:09 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\C Campbell\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Congratulations! your new log is so clean, you could eat your dinner off it. :tazz: Just a little bit more to do to prevent further infection.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)

Happy safe surfing Carolyn!
  • 0

#15
CWC

CWC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Phil.
I can't thank you enough. You have no idea how helpful you were!! Being the novice that I am, I wouldn't have gotten anywhere without your help. Thanks again - Carolyn
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP