Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ABI/Ceres Adware & possible Trojan [RESOLVED]

Started by btketron , Jul 06 2005 06:51 AM

  • This topic is locked This topic is locked

#1
btketron
Posted 06 July 2005 - 06:51 AM

btketron

    Member

  • Member
  • PipPip
  • 13 posts
Hey guys--first time on the forum. I've read around and couldn't find a specific answer to this A Better Internet and Ceres software that was loaded onto my company computer. It's killing me--I'm trying to get reports done and this thing just keeps popping up. Anyways, any help I can get will be MUCH appreciated. Here is my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:40:57 AM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\orant\BIN\GLDI9032.EXE
C:\orant\BIN\GLDILUS.EXE
C:\orant\BIN\ADIQC32.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://aimexpress.aim.com
O15 - Trusted Zone: http://www.hostboard.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\fbe.dll
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Just tell me what I need to delete, and if something happens I need to log on to my comp then terminate the network connection and restart in safe mode, I'll have to do that after hours, but I'll do what it takes to get this off my hands. Thanks in advance!!!

Brad

PS--I have ran AdAware, Spybot S&D, Microsoft AntiSpyware, SPD, and the Corporate edition of NAV, all of which have not been solutions to my problem.

Edited by btketron, 06 July 2005 - 09:27 AM.

  • 0

Advertisements

#2
Excal
Posted 11 July 2005 - 08:49 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi btketron and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
btketron
Posted 11 July 2005 - 11:16 AM

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
First off, thank you Excal--I appreciate the help in advance, and I know that it's a lot of work amongst all of the analysts you have being outnumbered by the number of logs you have posted per day, I'm just fortunate that you guys put this on. This is great.

Here's my new HJT file...and remember, this is a company/corporate computer I'm working with here, so I don't have "full" rights to fix some things. I may have to take notes and get an IT buddy to finish the rest with admin rights. I'll do as much as I can though.

Logfile of HijackThis v1.99.1
Scan saved at 1:13:50 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\??sembly\fast.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\ireb\otee.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\orant\BIN\GLDI9032.EXE
C:\orant\BIN\GLDILUS.EXE
C:\orant\BIN\ADIQC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jaqburiu] C:\WINDOWS\system32\??sembly\fast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://aimexpress.aim.com
O15 - Trusted Zone: http://www.hostboard.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\cynsole.dll
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#4
Excal
Posted 11 July 2005 - 11:48 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi btketron and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.


DOWNLOAD PROGRAMS

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKCU\..\Run: [Jaqburiu] C:\WINDOWS\system32\??sembly\fast.exe
O15 - Trusted Zone: http://aimexpress.aim.com
O15 - Trusted Zone: http://www.hostboard.com
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\cynsole.dll

7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

AdwareAlert <===== This program is considered not to be a trusted Spyware Program, Rogue SpywareList

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\AdwareAlert
C:\WINDOWS\system32\exp
C:\WINDOWS\system32\??sembly

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\cynsole.dll

11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
btketron
Posted 13 July 2005 - 07:54 AM

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Sorry I haven't updated things in a while, I'm in accounting and we're in the middle of closing--I'm swamped with work. Here is a fresh HJT file...because Ceres pop-ups have started again. :tazz:

Anyways, let me know what I can do...Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:52:51 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wintask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\nuhhskln.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\accwiz.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\ireb\otee.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\orant\BIN\GLDI9032.EXE
C:\orant\BIN\GLDILUS.EXE
C:\orant\BIN\ADIQC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [nuhhskln] c:\windows\system32\nuhhskln.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\nndeapi.dll
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#6
Excal
Posted 13 July 2005 - 08:19 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi,

AdwareAlert didn't seem to get uninstalled? I wonder if they aren't allowing you to do that on that computer....hmmmm Lets try one more time, but I think you might have to call an IT guy to help you out.

Please right click on the Microsoft/Giant AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it after the fix, you follow the same steps but click on Enable Real-time Protection.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [nuhhskln] c:\windows\system32\nuhhskln.exe

7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

AdwareAlert <===== This program is considered not to be a trusted Spyware Program, Rogue SpywareList

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\AdwareAlert
C:\WINDOWS\system32\exp

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\ceres.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\system32\exp.exe
c:\windows\system32\nuhhskln.exe

11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#7
btketron
Posted 13 July 2005 - 08:38 AM

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Another thing--the Panda Activescan that you want me to run will not run either--the page has an error when it asks me the country/state I'm from before it will begin the online scan.
  • 0

#8
Excal
Posted 13 July 2005 - 08:45 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Do this one instead please :tazz:

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
  • 0

#9
btketron
Posted 13 July 2005 - 10:35 AM

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here you go--one other note, the http://info/ part of the HJT scan is harmless--the address is our internal company homepage. So ignore that one...

Here's a fresh HJT scan and the Trend Micro scan results.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:38 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wintask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\pcintui.dll
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Started Scanning
Internet Cookies
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'master.mx-targeting.com' in 'Internet Explorer Cache'
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'abetterinternet.com' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'a.websponsors.com' in 'Internet Explorer Cache'
Found 'offeroptimizer.com' in 'Internet Explorer Cache'
Found 'delfinproject.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'cliks.org' in 'Internet Explorer Cache'
Found 'azjmp.com' in 'Internet Explorer Cache'
Found 'hits.clickandtrack.net' in 'Internet Explorer Cache'
Found 'citi.bridgetrack.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found 'go.com' in 'Internet Explorer Cache'
Found 'insightexpressai.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'bluestreak.com' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'www.burstbeacon.com' in 'Internet Explorer Cache'
Found 'perf.overture.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'master.mx-targeting.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'revenue.net' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'burstnet.com' in 'Internet Explorer Cache'
Found 'adopt.specificclick.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\VERSION'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\VERSION'
Found '' in 'SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}'
Found '' in 'SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}'
Found '' in 'SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}'
Found '' in 'SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}'
Found '' in 'SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\TypeLib'
Found '' in 'SOFTWARE\Classes\PopOops2.PopOops'
Found '' in 'SOFTWARE\Classes\PopOops2.PopOops\Clsid'
Found '' in 'SOFTWARE\Classes\SWLAD1.SWLAD'
Found '' in 'SOFTWARE\Classes\SWLAD1.SWLAD\Clsid'
Found '' in 'SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9}\7.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9}\7.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9}\7.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9}\7.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52}\5.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52}\5.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52}\5.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52}\5.0\HELPDIR'
Found '' in 'Software\intexp'
Found '' in 'Software\intexp\Config'
Found '' in 'Software\intexp\MyFileSystem2'
Found '' in 'SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}'
Found '' in 'SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}'
Found '' in 'SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.BottomFrame'
Found '' in 'SOFTWARE\Classes\IMIToolbar.BottomFrame.1'
Found '' in 'SOFTWARE\Classes\IMIToolbar.BottomFrame.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer'
Found '' in 'SOFTWARE\Classes\IMIToolbar.LeftFrame'
Found '' in 'SOFTWARE\Classes\IMIToolbar.LeftFrame.1'
Found '' in 'SOFTWARE\Classes\IMIToolbar.LeftFrame.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupBrowser'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupBrowser.1'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupBrowser.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupWindow'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupWindow.1'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupWindow.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID'
Found '' in 'SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer'
Found '' in 'SOFTWARE\Classes\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}'
Found '' in 'SOFTWARE\Classes\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}'
Found '' in 'SOFTWARE\Classes\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}'
Found '' in 'SOFTWARE\Classes\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}'
Found '' in 'SOFTWARE\Classes\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}'
Found '' in 'SOFTWARE\Classes\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\TypeLib'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\InprocServer32'
Found 'InstallDay' in 'Software\intexp\Config'
Found 'KeywordMatch' in 'Software\intexp\Config'
Found 'LogUrl' in 'Software\intexp\Config'
Found 'PostCGITime' in 'Software\intexp\Config'
Found 'SystemDate' in 'Software\intexp\Config'
Found 'SystemID' in 'Software\intexp\MyFileSystem2'
Found '' in 'SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\Wbho.Band'
Found '' in 'SOFTWARE\Classes\Wbho.Band.1'
Found '' in 'SOFTWARE\Classes\Wbho.Band.1\CLSID'
Found '' in 'SOFTWARE\Classes\Wbho.Band\CLSID'
Found '' in 'SOFTWARE\Classes\Wbho.Band\CurVer'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32'
Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\NumMethods'
Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:/Program Files/VBouncer/INSTALL.LOG'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}'
Found '' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj.1\CLSID'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj.1'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj'
Found '' in 'Software\Ceres'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}'
Found '' in 'SOFTWARE\AutoLoader'
Found '' in 'SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\Programmable'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\Implemented Categories\{00021494-0000-0000-C000-000000000046}'
Found '' in 'SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\Implemented Categories'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\Programmable'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\Implemented Categories\{00021493-0000-0000-C000-000000000046}'
Found '' in 'SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\Implemented Categories'
Found '' in 'SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\Programmable'
Found '' in 'SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\Programmable'
Found '' in 'SOFTWARE\Classes\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}'
Found '' in 'SOFTWARE\Classes\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}\TypeLib'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32'
Found '' in 'SOFTWARE\Vendor\xml'
Found '' in 'SOFTWARE\Classes\Remove'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}'
Found '' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\Programmable'
Found 'Version' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\InprocServer32'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\LocalServer32'
Found '' in 'TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}'
Found '' in 'Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}'
Found '' in 'CeresDll.CeresDllObj'
Found '' in 'CeresDll.CeresDllObj.1'
Found '' in 'CLSID\{00000049-8F91-4D9C-9573-F016E7626484}'
Found '' in 'Wbho.Band.1'
Found '' in 'Wbho.Band'
Found '' in 'CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}'
Found '' in 'IMIToolbar.PopupBrowser'
Found '' in 'IMIToolbar.PopupBrowser.1'
Found '' in 'CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}'
Found '' in 'IMIToolbar.LeftFrame'
Found '' in 'IMIToolbar.LeftFrame.1'
Found '' in 'IMIToolbar.BottomFrame'
Found '' in 'IMIToolbar.BottomFrame.1'
Found '' in 'CLSID\{F3155057-4C2C-4078-8576-50486693FD49}'
Found '' in 'IMIToolbar.PopupWindow'
Found '' in 'IMIToolbar.PopupWindow.1'
Found '' in 'CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}'
Found '' in 'Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}'
Found '' in 'TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}'
Found '' in 'Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}'
Found '' in 'Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}'
Found '' in 'Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}'
Found '' in 'Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}'
Found '' in 'Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}'
Found '' in 'CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}'
Found '' in 'CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'CLSID\{F3155057-4C2C-4078-8576-50486693FD49}'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\btketron\Local Settings\Temp\drp1.tmp'
Found 'ceres.dll' in 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp'
Found 'ceres.inf' in 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp'
Found 'temp.fr7EA3' in 'C:\Documents and Settings\btketron\Local Settings\Temp'
Found 'temp.frD7E9' in 'C:\Documents and Settings\btketron\Local Settings\Temp'
Found 'data.bin' in 'C:\Program Files\Aprps'
Found 'RemoveDisplayUtility.exe' in 'C:\Program Files\Common Files\Uninstall Information'
Found '017F4365-3869-4D42-97B0-345ACB' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96'
Found '4F15276E-3F15-4B9D-A336-C818E3' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96'
Found 'ECAD3D2E-46D3-4087-BF0C-5A4190' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96'
Found '590AFC63-0FD6-4FDD-8D99-390BDB' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140'
Found '743BD699-A53C-470F-85B0-82AF73' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140'
Found '9DC5029C-8C53-422A-8448-EAFC92' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140'
Found 'C775AAA0-1CF1-40C9-ACA4-076828' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140'
Found '6B4705C7-C51D-4AAB-9102-4D5B1C' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\4F3E3EC6-594F-441E-BECF-7BB1B2'
Found 'B8D86C10-E689-4745-BE87-50C7EB' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0'
Found 'D602DF82-9741-41F3-9017-4C67B3' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0'
Found 'AC3E2621-EA81-4917-B565-DB0385' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C'
Found 'CFE569B0-0822-408D-BC9B-5D600C' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C'
Found '257175A4-B433-4786-93F4-10B8E0' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB'
Found '837CADEA-42A3-4D53-AEAA-37014F' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB'
Found 'EAC386A3-047F-453A-AB68-45B1A3' in 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB'
Found 'Dc13.dll' in 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652'
Found 'Dc5.exe' in 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652'
Found 'Buddy.exe' in 'C:\WINDOWS'
Found 'ceres.dll' in 'C:\WINDOWS'
Found 'ceres.inf' in 'C:\WINDOWS\inf'
Found 'AUNPS2.dll' in 'C:\WINDOWS\system32'
Found 'PopOops.dll' in 'C:\WINDOWS\system32'
Found 'SWLAD2.dll' in 'C:\WINDOWS\system32'
Found 'tdtb.exe' in 'C:\WINDOWS'
Found 'setup.inf' in 'C:\WINDOWS\Temp\AutoUpdate0'
Found 'AproposClientInstaller[1].exe' in 'C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O9UBS9AJ'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\drp1.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\drp1.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\btketron\Local Settings\Temp\drp1.tmp'
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp\ceres.dll' in shortcut areas.
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp\ceres.dll' in startup areas.
Cleaning 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp\ceres.dll'
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp\ceres.inf' in shortcut areas.
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp\ceres.inf' in startup areas.
Cleaning 'C:\Documents and Settings\btketron\Local Settings\Temp\DrTemp\ceres.inf'
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\temp.fr7EA3' in shortcut areas.
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\temp.fr7EA3' in startup areas.
Cleaning 'C:\Documents and Settings\btketron\Local Settings\Temp\temp.fr7EA3'
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\temp.frD7E9' in shortcut areas.
Checking for 'C:\Documents and Settings\btketron\Local Settings\Temp\temp.frD7E9' in startup areas.
Cleaning 'C:\Documents and Settings\btketron\Local Settings\Temp\temp.frD7E9'
Checking for 'C:\Program Files\Aprps\data.bin' in shortcut areas.
Checking for 'C:\Program Files\Aprps\data.bin' in startup areas.
Cleaning 'C:\Program Files\Aprps\data.bin'
Checking for 'C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe' in shortcut areas.
Checking for 'C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe' in startup areas.
Cleaning 'C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\017F4365-3869-4D42-97B0-345ACB' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\017F4365-3869-4D42-97B0-345ACB' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\017F4365-3869-4D42-97B0-345ACB'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\4F15276E-3F15-4B9D-A336-C818E3' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\4F15276E-3F15-4B9D-A336-C818E3' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\4F15276E-3F15-4B9D-A336-C818E3'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\ECAD3D2E-46D3-4087-BF0C-5A4190' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\ECAD3D2E-46D3-4087-BF0C-5A4190' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\1D3019C5-E425-4A2C-8057-491E96\ECAD3D2E-46D3-4087-BF0C-5A4190'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\590AFC63-0FD6-4FDD-8D99-390BDB' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\590AFC63-0FD6-4FDD-8D99-390BDB' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\590AFC63-0FD6-4FDD-8D99-390BDB'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\743BD699-A53C-470F-85B0-82AF73' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\743BD699-A53C-470F-85B0-82AF73' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\743BD699-A53C-470F-85B0-82AF73'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\9DC5029C-8C53-422A-8448-EAFC92' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\9DC5029C-8C53-422A-8448-EAFC92' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\9DC5029C-8C53-422A-8448-EAFC92'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\C775AAA0-1CF1-40C9-ACA4-076828' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\C775AAA0-1CF1-40C9-ACA4-076828' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\3535C531-7FA6-4E39-963D-1AE140\C775AAA0-1CF1-40C9-ACA4-076828'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\4F3E3EC6-594F-441E-BECF-7BB1B2\6B4705C7-C51D-4AAB-9102-4D5B1C' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\4F3E3EC6-594F-441E-BECF-7BB1B2\6B4705C7-C51D-4AAB-9102-4D5B1C' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\4F3E3EC6-594F-441E-BECF-7BB1B2\6B4705C7-C51D-4AAB-9102-4D5B1C'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0\B8D86C10-E689-4745-BE87-50C7EB' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0\B8D86C10-E689-4745-BE87-50C7EB' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0\B8D86C10-E689-4745-BE87-50C7EB'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0\D602DF82-9741-41F3-9017-4C67B3' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0\D602DF82-9741-41F3-9017-4C67B3' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\61285762-D544-48BE-B90D-F2EFB0\D602DF82-9741-41F3-9017-4C67B3'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C\AC3E2621-EA81-4917-B565-DB0385' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C\AC3E2621-EA81-4917-B565-DB0385' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C\AC3E2621-EA81-4917-B565-DB0385'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C\CFE569B0-0822-408D-BC9B-5D600C' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C\CFE569B0-0822-408D-BC9B-5D600C' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\8D9E19AD-E7C5-46EE-A345-C5778C\CFE569B0-0822-408D-BC9B-5D600C'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\257175A4-B433-4786-93F4-10B8E0' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\257175A4-B433-4786-93F4-10B8E0' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\257175A4-B433-4786-93F4-10B8E0'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\837CADEA-42A3-4D53-AEAA-37014F' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\837CADEA-42A3-4D53-AEAA-37014F' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\837CADEA-42A3-4D53-AEAA-37014F'
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\EAC386A3-047F-453A-AB68-45B1A3' in shortcut areas.
Checking for 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\EAC386A3-047F-453A-AB68-45B1A3' in startup areas.
Cleaning 'C:\Program Files\Microsoft AntiSpyware\Quarantine\FCC8A579-CBFF-4553-84D6-8346FB\EAC386A3-047F-453A-AB68-45B1A3'
Checking for 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652\Dc13.dll' in shortcut areas.
Checking for 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652\Dc13.dll' in startup areas.
Cleaning 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652\Dc13.dll'
Checking for 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652\Dc5.exe' in shortcut areas.
Checking for 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652\Dc5.exe' in startup areas.
Cleaning 'C:\RECYCLER\S-1-5-21-1993962763-1770027372-1801674531-11652\Dc5.exe'
Checking for 'C:\WINDOWS\Buddy.exe' in shortcut areas.
Checking for 'C:\WINDOWS\Buddy.exe' in startup areas.
Cleaning 'C:\WINDOWS\Buddy.exe'
Checking for 'C:\WINDOWS\ceres.dll' in shortcut areas.
Checking for 'C:\WINDOWS\ceres.dll' in startup areas.
Cleaning 'C:\WINDOWS\ceres.dll'
[SCANMODS] WARNING: Deletion of the file 'C:\WINDOWS\ceres.dll' requires a reboot.
Checking for 'C:\WINDOWS\inf\ceres.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\ceres.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\ceres.inf'
Checking for 'C:\WINDOWS\system32\AUNPS2.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\AUNPS2.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\AUNPS2.dll'
Checking for 'C:\WINDOWS\system32\PopOops.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\PopOops.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\PopOops.dll'
Checking for 'C:\WINDOWS\system32\SWLAD2.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\SWLAD2.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\SWLAD2.dll'
Checking for 'C:\WINDOWS\tdtb.exe' in shortcut areas.
Checking for 'C:\WINDOWS\tdtb.exe' in startup areas.
Cleaning 'C:\WINDOWS\tdtb.exe'
Checking for 'C:\WINDOWS\Temp\AutoUpdate0\setup.inf' in shortcut areas.
Checking for 'C:\WINDOWS\Temp\AutoUpdate0\setup.inf' in startup areas.
Cleaning 'C:\WINDOWS\Temp\AutoUpdate0\setup.inf'
Checking for 'C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O9UBS9AJ\AproposClientInstaller[1].exe' in shortcut areas.
Checking for 'C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O9UBS9AJ\AproposClientInstaller[1].exe' in startup areas.
Cleaning 'C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O9UBS9AJ\AproposClientInstaller[1].exe'
Finished Cleaning
  • 0

#10
Excal
Posted 13 July 2005 - 01:47 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Well if nothing, we certainly have made progress. :tazz: Not sure why these are being so stubborn.


DOWNLOAD PROGRAMS

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\pcintui.dll

8. click the Fix Checked box

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\pcintui.dll

10. Reboot into normal mode

11. You may have the latest version of VX2. Download L2mfix from one of these two locations:
  • One
    Two
  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Then post a HijackThis log (not attach) together with the log of the L2Mfix


12. Please post the L2M fix log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#11
btketron
Posted 14 July 2005 - 02:44 PM

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I haven't had a chance to run the Ewido SS, so I went into HJT and figured I'd get you a fresh log to work off of. Tell me what you think. I actually saw exp.exe this time and deleted it, so, maybe that'll get rid of that one.

BTW--I cannot log on to my computer w/o being on the network here at work, so I think that may be a part of why things keep crawling back in after we delete them. I may have to consult and company IT person once work slows up.

Logfile of HijackThis v1.99.1
Scan saved at 4:40:55 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wintask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\orant\BIN\GLDI9032.EXE
C:\orant\BIN\GLDILUS.EXE
C:\orant\BIN\ADIQC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\fblemgmt.dll
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#12
Excal
Posted 14 July 2005 - 04:24 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
hmmm, all looks good. Let me see another log after you run Ewido and reboot(Make sure to run Ewido in safe mode). Don't fix anything in the HiJackthis.


Thanks,

:tazz:

Excal

Edited by Excal, 14 July 2005 - 04:25 PM.

  • 0

#13
Excal
Posted 28 July 2005 - 10:04 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP