Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Here is my HJT Log File [RESOLVED]


  • This topic is locked This topic is locked

#1
gUzAnO

gUzAnO

    Member

  • Member
  • PipPip
  • 78 posts
Please PLEASE HELP ME GET RID OF THIS NASTY SPYWARE!! i'm so pissed off!! i was just looking for a crack at a site called "www.mscracks.something" and it started, i get the Spyware Sheriff, my desktop got blue with a message in the middle of it that said: "SYSTEM STOPPED system has been stopped due to a seriuos malfunction. Spyware activity has been detected. It is recomended to use spyware removal tool to prevent data loss. Do not use computer before all spyware removed." Also i can't change my desktop background, nor i can activate the TaskManager (it says that is has been disabled by an administrator) and i'm becoming CRAZY with the "EXPLORER.EXE has detected an error and has to shutdown" message.. and when i hit Don't Send or Send (no matter what) it restarts again and again anda again, and over and over again... please HELP MEE!! i'm desperate

gUzAnO ;) :tazz: ;) :tazz:

Thanks for further help...

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 22:57:02, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
c:\windows\system32\okvelxo.exe
C:\Documents and Settings\gUzAnO\Internet Optimizer\optimize.exe
C:\Archivos de programa\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\Archivos de programa\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\msxct.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\5tcckj5k.exe
C:\Archivos de programa\csta\ssul.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\imapi.exe
D:\Guz\hijackthis\HijackThis.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Archivos de programa\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A811A0F5-006D-540C-EE69-12E198A5EE14} - C:\WINDOWS\cdmagent\kohwtcllql.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolk.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolber.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolber.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Archivos de programa\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [vvxjir] c:\windows\system32\okvelxo.exe r
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Archivos de programa\SurfSideKick 3\Ssk.exe
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118531826405
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4600
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have downloaded the Ewido suite, CWShredder SPYSUBTRACT PRO 3.0, Ad-aware SE Edition and the spyware blaster, also i have downloaded Kaspersky AV and Zone Alarm PRO

Edited by gUzAnO, 15 June 2005 - 09:42 AM.

  • 0

Advertisements


#2
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
i've cleaned a couple of files.. here are my HJT and my ewigo reports in SAFE MODE files...

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 00:34:59, 15/06/2005
+ Report-Checksum: 674C0267

+ Fecha de la base de datos: 15/06/2005
+ Versión del scanner: v3.0

+ Duración: 34 min
+ Archivos explorados: 63341
+ Velocidad: 30.70 Archivos/Segundo
+ Archivos infectados: 88
+ Archivos eliminados: 88
+ Archivos puestos en cuarentena: 88
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: Si

+ Items explorados:
C:\
D:\

+ Resultados de la exploración:
C:\Archivos de programa\BullsEye Network\bin\adv.exe -> Spyware.BargainBuddy.n -> Limpio con backup
C:\Archivos de programa\BullsEye Network\bin\adx.exe -> Spyware.BargainBuddy.n -> Limpio con backup
C:\Archivos de programa\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide -> Limpio con backup
C:\Archivos de programa\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\856F41E3\aurora[1].exe -> Spyware.BetterInternet.c -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\SDIJSL27\DrPMon[1].dll -> Trojan.Agent.db -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\SDIJSL27\Poller[1].exe -> Spyware.BetterInternet -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\STE3SX23\nem220[1].dll -> TrojanDownloader.Dyfuca -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\STE3SX23\sploit[1].anr -> TrojanDownloader.Ani.c -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\STE3SX23\stat[1].htm -> TrojanDownloader.Agent.e -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\1.qtdfmp -> TrojanDownloader.Small.aue -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Renos.a -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\5.qtdfmp -> TrojanDownloader.Small.ayc -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\6.qtdfmp -> TrojanDownloader.Small.aux -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\7.qtdfmp -> TrojanDownloader.Small.atl -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\maxdd.game -> Dialer.Generic -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\nstE.EXE -> Spyware.SmartPops -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\umqltg4cl_.exe -> Spyware.SAHA -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\vx1.game -> TrojanProxy.Small.bk -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\vx2.game -> Backdoor.Agent.iw -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\vx3.game -> TrojanDownloader.Agent.ho -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\vx4.game -> Spyware.Hijacker.Generic -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\vxt1.game -> TrojanDownloader.Small.aqt -> Limpio con backup
C:\Documents and Settings\gUzAnO\Configuración local\Temp\vxt2.game -> Trojan.LowZones.y -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@advertising[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@atdmt[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@burstnet[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@com[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@counter.hitslink[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@counter3.sextracker[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@fastclick[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@gamecenter.speedbit[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@linksynergy[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@servedby.netshelter[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@sextracker[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@speedbit[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@spylog[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@www.shopathomeselect[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\gUzAnO\Cookies\guzano@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\92Q8NP7H\loadppc[1].exe -> Spyware.Zbar -> Limpio con backup
C:\Documents and Settings\Victor\Cookies\victor@fastclick[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\WINDOWS\cdmagent\kohwtcllql.exe -> Spyware.SmartPops -> Limpio con backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets -> Limpio con backup
C:\WINDOWS\exdl.exe -> Spyware.BargainBuddy.q -> Limpio con backup
C:\WINDOWS\igfrerlk.exe -> Spyware.SAHA -> Limpio con backup
C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Limpio con backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Limpio con backup
C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.dk -> Limpio con backup
C:\WINDOWS\shop1003.exe -> Spyware.Sahat.m -> Limpio con backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn -> Limpio con backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw -> Limpio con backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw -> Limpio con backup
C:\WINDOWS\system\svchosthook.dll -> Backdoor.Agent.iw -> Limpio con backup
C:\WINDOWS\system32\1c3bq9qp.exe -> Spyware.SAHA -> Limpio con backup
C:\WINDOWS\system32\bbchk.exe -> Spyware.Bargainbuddy -> Limpio con backup
C:\WINDOWS\system32\exclean.exe -> Spyware.BargainBuddy -> Limpio con backup
C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy.q -> Limpio con backup
C:\WINDOWS\system32\exdl0.exe -> Spyware.BargainBuddy.q -> Limpio con backup
C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy.q -> Limpio con backup
C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy -> Limpio con backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho -> Limpio con backup
C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy -> Limpio con backup
C:\WINDOWS\system32\maxd.exe -> Dialer.Generic -> Limpio con backup
C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy.q -> Limpio con backup
C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy.n -> Limpio con backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanProxy.Small.bk -> Limpio con backup
C:\WINDOWS\system32\vxgame2.exe -> Backdoor.Agent.iw -> Limpio con backup
C:\WINDOWS\system32\vxgamet1.exe -> TrojanDownloader.Small.aqt -> Limpio con backup
C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDownloader.Small.aue -> Limpio con backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.aux -> Limpio con backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl -> Limpio con backup
C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Small.aue -> Limpio con backup
C:\WINDOWS\thin-114-1-x-x.exe -> Spyware.BetterInternet -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050416-141636-826.dll -> Spyware.MyWebSearch -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050416-141637-102.dll -> Spyware.WinAD.ad -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050512-150600-285.dll -> Dialer.Generic -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050604-173158-916.dll -> Spyware.SideFind -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050604-173235-539.dll -> Spyware.BargainBuddy.n -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050614-225901-248.dll -> Spyware.SmartPops -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050614-225902-783.dll -> Spyware.Zbar -> Limpio con backup
D:\Guz\hijackthis\backups\backup-20050614-225906-777.dll -> Spyware.MediaTickets -> Limpio con backup


Subtract Report

--------------------------------- SpySubtract session started ---------------------------------
Machine=WORMS-FRX0MJ2EJ
Time=Tue Jun 14 23:38:14 2005
Product Version=3, 0, 0, 29
OS Version=Microsoft Windows XP Professional Service Pack 1 (Build 2600)

Started Scanning
Programs in Memory
Programs in Memory: Found 'optimize.exe' in 'C:\Documents and Settings\gUzAnO\Internet Optimizer'
Programs in Memory: Found 'bargains.exe' in 'C:\Archivos de programa\BullsEye Network\bin'
Finished Scanning
IE Plugins: Found '{F4E04583-354E-4076-BE7D-ED6A80FD66DA}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found 'CLSID' in 'SOFTWARE\Microsoft\Internet Explorer\Toolbar'
IE Plugins: Found '{02EE5B04-F144-47BB-83FB-A60BD91B74A9}' in 'Software\Microsoft\Internet Explorer\URLSearchHooks'
Web Browser Security Settings: Found 'WarnOnZoneCrossing' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings'
Web Browser Security Settings: Found 'Download with DAP' in 'Software\Microsoft\Internet Explorer\MenuExt\&Download with &DAP'
Web Browser Security Settings: Found 'Download all with DAP' in 'Software\Microsoft\Internet Explorer\MenuExt\Download &all with DAP'
Web Browser Security Settings: Found 'Exportar a Microsoft Excel' in 'Software\Microsoft\Internet Explorer\MenuExt\E&xportar a Microsoft Excel'
Windows Policy Settings: Found 'restrictanonymous' in 'SYSTEM\CurrentControlSet\Control\Lsa'
Windows Policy Settings: Found 'forceunlocklogon' in 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
Windows Policy Settings: Found 'AUOptions' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update'
Services: Found 'ATI Smart' in ''
Services: Found 'ewido security suite control' in ''
Services: Found 'ewido security suite guard' in ''
Services: Found 'kavsvc' in ''
Windows Shell Settings: Found '{54D9498B-CF93-414F-8984-8CE7FDE0D391}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks'
Windows Shell Settings: Found 'ewido' in 'SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ewido'
Windows Shell Settings: Found 'Kaspersky Anti-Virus' in 'SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Kaspersky Anti-Virus'
Windows Shell Settings: Found 'Kaspersky Anti-Virus' in 'SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus'
Windows Shell Settings: Found '{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found 'AppData' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Desktop' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Favorites' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'NetHood' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Personal' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'PrintHood' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Start Menu' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Templates' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Programs' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Startup' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Local Settings' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Local AppData' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Cache' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'History' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'My Pictures' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'My Music' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Administrative Tools' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'CD Burning' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'My Video' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'AppData' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Desktop' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Favorites' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'NetHood' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Personal' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'PrintHood' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Programs' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Start Menu' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Startup' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Templates' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'My Pictures' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Local Settings' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Local AppData' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Cache' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'History' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common AppData' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Programs' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Documents' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Desktop' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Start Menu' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'CommonPictures' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'CommonMusic' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'CommonVideo' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Favorites' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Startup' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Administrative Tools' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Templates' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Personal' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Windows Shell Settings: Found 'Common Desktop' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common Start Menu' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common Programs' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common Startup' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common AppData' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common Templates' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common Favorites' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Windows Shell Settings: Found 'Common Documents' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Program Startup Areas: Found 'Zone Labs Client' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Scanning is stopping...
--------------------------------- SpySubtract session started ---------------------------------
Machine=WORMS-FRX0MJ2EJ
Time=Tue Jun 14 23:59:35 2005
Product Version=3, 0, 0, 29
OS Version=Microsoft Windows XP Professional Service Pack 1 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Started Scanning
CoolWebSearch Variants (CWShredder)
CoolWebSearch Variants (CWShredder): Found 'CWS.MSConfig' in ''
Finished Scanning
Started Scanning
CoolWebSearch Variants (CWShredder)
CoolWebSearch Variants (CWShredder): Found 'CWS.MSConfig' in ''
Finished Scanning
Started Scanning
Internet Cookies
Internet Cookies: Found '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'atdmt.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'atwola.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'belnk.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'bluestreak.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'burstnet.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'casalemedia.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'imrworldwide.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'com.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'counter.hitslink.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'dist.belnk.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'fastclick.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'impresionesweb.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'linksynergy.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'maxserving.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'mediaplex.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'revenue.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'servedby.advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'sextracker.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'spylog.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'statcounter.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'tribalfusion.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'www.shopathomeselect.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'xxxtoolbar.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'z1.adserver.com' in 'Internet Explorer Cache'
CoolWebSearch Variants (CWShredder)
CoolWebSearch Variants (CWShredder): Found 'CWS.MSConfig' in ''
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator'
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator\ADS'
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator\ADS\Default'
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger'
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger\Always'
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger\WhenFound'
Windows Registry: Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger\WhenNotFound'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\InprocServer32'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\ProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\VersionIndependentProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}\InprocServer32'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}\ProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}\VersionIndependentProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{9738B9E6-8AFA-11D2-959E-444553540002}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{9738B9E6-8AFA-11D2-959E-444553540002}\InProcServer32'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{9738B9E6-8AFA-11D2-959E-444553540002}\ProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPIE.Catcher.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPIE.Catcher\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE\CurVer'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPNS.Protocol.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\DAPNS.Protocol.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0\0\win32'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0\FLAGS'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0\HELPDIR'
Windows Registry: Found '' in 'SOFTWARE\SpeedBit\Download Accelerator\Updates'
Windows Registry: Found '' in 'SOFTWARE\Bargains'
Windows Registry: Found '' in 'SOFTWARE\Classes\DyFuCA_BH.BHObj.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}\1.0\0\win32'
Windows Registry: Found '' in 'S-1-5-21-299502267-1292428093-1801674531-1003\SOFTWARE\Avenue Media'
Windows Registry: Found '' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found '' in 'SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper'
Windows Registry: Found '' in 'SOFTWARE\Classes\DyFuCA_BH.BHObj'
Windows Registry: Found '' in 'SOFTWARE\Classes\DyFuCA_BH.BHObj.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}\1.0'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}\1.0\FLAGS'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}\1.0\HELPDIR'
Windows Registry: Found '403' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found '404' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found '410' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found '500' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'CLS' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'ID' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'InstallT' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'PendingRemoval' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'RID' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'ServerVisited' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'TAC' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'TargetDir' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'UpdateInterval' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'Version' in 'SOFTWARE\Avenue Media\Internet Optimizer'
Windows Registry: Found 'ModuleFileName' in 'SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper'
Windows Registry: Found 'Options' in 'SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper'
Windows Registry: Found 'Version' in 'SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper'
Windows Registry: Found 'DisplayIcon' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer'
Windows Registry: Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer'
Windows Registry: Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer'
Windows Registry: Found '' in 'SOFTWARE\eXactUtil'
Windows Registry: Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher'
Windows Registry: Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID'
Windows Registry: Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'DisplayIcon' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'DisplayVersion' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'NoModify' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'NoRepair' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'Publisher' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found 'URLInfoAbout' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\0\win32'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\FLAGS'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\HELPDIR'
Windows Registry: Found '' in 'SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick'
Windows Registry: Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick'
Windows Registry: Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\0'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\Programmable'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.StockBar\CurVer'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.StockBar\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.StockBar.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.StockBar.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.StockBar'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.ParamWr\CurVer'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.ParamWr\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.ParamWr.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.ParamWr.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.ParamWr'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.activator\CurVer'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.activator\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.activator.1\CLSID'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.activator.1'
Windows Registry: Found '' in 'SOFTWARE\Classes\ZToolbar.activator'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\HELPDIR'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\FLAGS'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\0\win32'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\0'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0'
Windows Registry: Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid'
Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\VersionIndependentProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\Version'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\ToolboxBitmap32'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\Programmable'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\ProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\MiscStatus\1'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\MiscStatus'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\InprocServer32'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\Control'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\VersionIndependentProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\TypeLib'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\Programmable'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\ProgID'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\InprocServer32'
Internet URL Shortcuts
Files and Directories
Files and Directories: Found '' in 'C:\Archivos de programa\BullsEye Network'
Files and Directories: Found '' in 'C:\Archivos de programa\BullsEye Network\bin'
Files and Directories: Found 'adv.exe' in 'C:\Archivos de programa\BullsEye Network\bin'
Files and Directories: Found 'adx.exe' in 'C:\Archivos de programa\BullsEye Network\bin'
Files and Directories: Found 'nem220[1].dll' in 'C:\Documents and Settings\gUzAnO\Configuración local\Archivos temporales de Internet\Content.IE5\STE3SX23'
Files and Directories: Found 'optimize.exe' in 'C:\WINDOWS'
Files and Directories: Found 'bbchk.exe' in 'C:\WINDOWS\system32'
Files and Directories: Found 'exul.exe' in 'C:\WINDOWS\system32'
Files and Directories: Found 'javexulm.vxd' in 'C:\WINDOWS\system32'
Files and Directories: Found 'Drweb32.dll' in 'D:\Archivos de programa\Ahead\Nero'
Files and Directories: Found 'DRWEBASE.VDB' in 'D:\Archivos de programa\Ahead\Nero'
Files and Directories: Found 'backup-20050416-141636-826.dll' in 'D:\Guz\hijackthis\backups'
Finished Scanning

HJT report

Logfile of HijackThis v1.99.1
Scan saved at 23:54:36, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\dwwin.exe
D:\Guz\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O4 - Global Startup: SpySubtract.lnk = D:\Archivos de programa\InterMute\Nueva carpeta\SpySub.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118531826405
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ad-Aware Report


Ad-Aware SE Build 1.06r1
Logfile Created on:Miércoles, 15 de Junio de 2005 11:13:58
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BargainBuddy(TAC index:8):25 total references
DyFuCA(TAC index:3):5 total references
MRU List(TAC index:0):28 total references
SahAgent(TAC index:9):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


15-06-2005 11:13:58 - Scan started. (ADS scan)
Performing deep Scan and listing Alternate Data Streams...


Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SahAgent Object Recognized!
Type : File
Data : A0013097.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 4, 0, 2, 3
ProductVersion : 4, 0, 2, 3


BargainBuddy Object Recognized!
Type : File
Data : A0013106.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adv
CompanyName : eXact Advertising
InternalName : adv
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adv.exe


BargainBuddy Object Recognized!
Type : File
Data : A0013107.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adx
CompanyName : eXact Advertising
InternalName : adx
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adx.exe


BargainBuddy Object Recognized!
Type : File
Data : A0013111.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe


SahAgent Object Recognized!
Type : File
Data : A0013112.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 4, 0, 2, 3
ProductVersion : 4, 0, 2, 3


DyFuCA Object Recognized!
Type : File
Data : A0013115.exe
TAC Rating : 3
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\



BargainBuddy Object Recognized!
Type : File
Data : A0013124.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe


BargainBuddy Object Recognized!
Type : File
Data : A0013125.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe


BargainBuddy Object Recognized!
Type : File
Data : A0013126.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP73\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe


BargainBuddy Object Recognized!
Type : File
Data : A0013127.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAA

Edited by gUzAnO, 15 June 2005 - 09:43 AM.

  • 0

#3
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Here's my deskpol file (i'm searching for everything similar in another threads so i'm just guiding by that but not removing anything until someone says what's safe to remove and how)

Desktop Policies

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
"Wallpaper"="C:\\WINDOWS\\desktop.html"
  • 0

#4
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
I make a Panda Online Scan and these were the results


Incident Status ocation

Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/ILookup No disinfected C:\Documents and Settings\gUzAnO\Favoritos\Gambling
Adware:Adware/TopConvert No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\DrTemp
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\System32\ztoolbar.bmp
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/Novo No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Archivos de programa\SurfSideKick 3\SskCore.dll
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\gUzAnO\Configuración local\Temp\A~NSISu_.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\gUzAnO\Configuración local\Temp\i6.tmp
Adware:Adware/Transponder No disinfected C:\WINDOWS\cnebzuw.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\kernels32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Possible Virus. No disinfected C:\WINDOWS\system32\web.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.bmp
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.xml
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe
Adware:Adware/FunWeb No disinfected D:\Guz\hijackthis\backups\backup-20050416-141637-899.inf
Adware:Adware/Lop No disinfected D:\Guz\hijackthis\backups\backup-20050512-084750-588.dll
Adware:Adware/Lop No disinfected D:\Guz\hijackthis\backups\backup-20050512-150600-452.dll
Adware:Adware/MediaTickets No disinfected D:\Guz\hijackthis\backups\backup-20050614-225906-777
Adware:Adware/MediaTickets No disinfected D:\Guz\hijackthis\backups\backup-20050614-225906-777.inf
I hope i'm not such a pain... :tazz: it's that i'm DESPERATEELYY in need of help.. i just wanted to burn an image ;)

Regards, gUz
  • 0

#5
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
well... here's my HJT log after nail.exe was "removed" (hope so) BTW i forgot to mentioned that 2 files were such a pain in the [bleep], coz i was running Kaspersky and they keep coming up, both of em and it said that i cannot remove em so i wrote em down, also when i get into safe mode it says something li ke... "Press Esc to cancel d347bus.sys" (or something like that) and i have 88 files in ewido's quarantine vault, the 2 files are (were):

C:\WINDOWS\system32\thn32.dll and the other one i don't have the fullpath but it's called okvelxo.exe or something like that nor can i load no image onto daemon tools due to a "kernel(s) error" :S well to the HJT log file.. hope someone helps me ;) :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 17:45:38, on 15/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Guz\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118531826405
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by gUzAnO, 16 June 2005 - 12:01 AM.

  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
How about staying away from the warez sites and maybe that will help keep your system cleaner than it is?... :tazz:

I need you to post a new HiJackThis log into this topic in normal mode this time. Please do not start anymore topics.
  • 0

#7
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
first of all thanks for attending my post, i won't start a new one, i apologize for being so "rude". Now that the cavalry is here i will do as i'm asked :tazz: here's my new fresh brand HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:21:29, on 16/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\imapi.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Guz\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118531826405
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BTW My system is in spanish so... do i have to translate the log for you or just leave it like that?

PS: as i'm at college i have to attend to class so for now i won't be able to respond or do anything until i'm back (it means about 6 or 7 hours from now on) btw my arrow keys stop functioning, any clue on that?

Regards, G.

Edited by gUzAnO, 16 June 2005 - 01:26 PM.

  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
No need to translate, I can read it fine ;)

I'll be back as soon as possible! :tazz:
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
That's fine, just respond whenever you get a chance, I will have your fix posted when you get back :tazz:

I don't have any idea about the arrow keys not working, sounds like a hardware issue that I can't help with.
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)

O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


Close HiJackThis.

Delete the following, in bold, if found:

C:\Windows\Desktop.html <-This is the file used as your background!
C:\Archivos de programa\SpySheriff <-whole folder
C:\Documents and Settings\gUzAnO\Favoritos\Gambling <-Whole folder
C:\Documents and settings\gUzAnO\CONFIG~1\Temp\DrTemp <-Whole folder

Copy everything inside the quote box below (starting with REGEDIT4). Paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixspy.reg on your desktop. *Make sure there is NO blank line above REGEDIT4

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-
"DisableTaskMgr"=-

Double-click fixspy.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, continue with rest of the instructions below.

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\winstall.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\ztoolbar.bmp
C:\WINDOWS\System32\vx.tll
C:\Archivos de programa\SurfSideKick 3\SskCore.dll
C:\Documents and Settings\gUzAnO\Configuración local\Temp\A~NSISu_.exe
C:\Documents and Settings\gUzAnO\Configuración local\Temp\i6.tmp
C:\WINDOWS\cnebzuw.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\ztoolbar.bmp
C:\WINDOWS\system32\ztoolbar.xml
C:\WINDOWS\weirdontheweb_topc.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, you should be able to change your background. Post a new HiJackThis log.

Edited by bananafanafo, 16 June 2005 - 01:45 PM.

  • 0

Advertisements


#11
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
:tazz: ;) ;) ;) THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU!THANK YOU! My computer's back!! i appreciate it SOOOOOOOOOOOOOOOO much :) Bravooo xD, i have one more question before my HJT log goes pasted :tazz:

My PC is used by my family , so i have divided it by sessions, so i'm de admin session and there's another admin session and about 4 user sessions, so to the point: Are these other sessions affected by the spyware? (i disabled them trying not to let it spread) and, is surfsidekickers3 a bad folder?, also what can i do with the quarantine files in the ewido? (got 88 files :S), and do i hav to reinstall the programs that weren't working? (daemon tools still says "Unable to open image. Unable to open file in kernel mode", and kaspersky says i need to reinstall), now that my pc is back to what it was.. i don't want to ruin it again!! here's the brand fresh HJT log :woot: thanks to bananafanafo :ph34r:

Logfile of HijackThis v1.99.1
Scan saved at 22:07:36, on 16/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
D:\Guz\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118531826405
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Regards, G.
i'm very gratefully in debt and i reaaaalllly appreciate your help :hug:

Edited by gUzAnO, 16 June 2005 - 08:18 PM.

  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome!

Are these other sessions affected by the spyware? (i disabled them trying not to let it spread)

Most likely. With that many user accounts, especially with how nasty your account was, we can clean the other Admin account with no problem, but it's extremely difficult to clean limited accounts because they won't let you do much. If there isn't too much stuff I would recommend deleting the limited accounts and making new ones...

and, is surfsidekickers3 a bad folder?,

Yes!

also what can i do with the quarantine files in the ewido? (got 88 files :S)

You can delete what it has quarantined.

and do i hav to reinstall the programs that weren't working? (daemon tools still says "Unable to open image. Unable to open file in kernel mode", and kaspersky says i need to reinstall),

Your system was pretty nasty, so I don't doubt that some kind of malware messed them up, so yes it would be best to re-install the programs which are not working properly - specifically your Anti-virus program.

now that my pc is back to what it was.. i don't want to ruin it again!!

My highest recommendation is to download XP Service Pack 2 and stay far away from warez sites.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

svchost.exe (moto)

When you find it, double-click on it. In the next window that opens, click the Stop button (it's fine if it's already stopped, just continue with the rest), then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

moto

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.

Post a new HiJackThis log.
  • 0

#13
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
hi there, sorry for my abscense i've been quite busy with college so, i haven't had many free-time to spare :s, well i'm back here now for a lil' problem i've got (alright, yes maybe i screwed up again =( ) it's kind of weird, when i hit the SEARCH button the explorer.exe reboots itself not allowing me to search anything at all on my PC, i thought it was JAVA maybe, because i can't see some "appz" that maybe are JAVA appz in some webpages :S. so.. i came here for help. Here's my HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 11:11:27, on 23/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
D:\Guz\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KAVPersonal50] D:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Regards, G.

Edited by gUzAnO, 23 June 2005 - 09:13 AM.

  • 0

#14
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
i'll chek this later i have to go to class :s i hate this class -.- c'ya all ppl!!
  • 0

#15
gUzAnO

gUzAnO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
is this picture because of my browser or what? explorer.exe is still rebooting itself when i hit search->drop downbox (choose location) that's the exact point when it reboots.

Regards, G.

Attached Thumbnails

  • java.JPG

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP