Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

about:blank/Startpage-DU.dll trojan [RESOLVED]

Started by coe , Jul 10 2005 11:02 PM

  • This topic is locked This topic is locked

#1
coe
Posted 10 July 2005 - 11:02 PM

coe

    New Member

  • Member
  • Pip
  • 9 posts
McAfee has "deleted and cleaned" this trojan a few times now, as opening IE reinstalls it. Since the names change everytime, I am wary of using the previous solutions to this trojan on my system. Any help would be much appreciated, as I cannot use IE anymore, and pop ups persist.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:27 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\apiik32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wisptis.exe
C:\MSOffice\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {045AE71F-801F-4A71-C593-6529CE594056} - C:\WINDOWS\nttk32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {07DA44E0-3BFC-A455-CD97-F7B7B8790347} - C:\WINDOWS\mfcdx.dll
O2 - BHO: Class - {150DD6A2-741C-3AC1-86EF-B9F0211447BA} - C:\WINDOWS\mscx32.dll
O2 - BHO: Class - {176407B4-E211-4E16-BFFA-63C50AA24B06} - C:\WINDOWS\iegq32.dll
O2 - BHO: Class - {19F352CA-1BB9-DD56-81EF-9595DD355FD0} - C:\WINDOWS\system32\crcu.dll
O2 - BHO: Class - {1E5865E5-FF6F-A5FA-646C-038A3C2F5165} - C:\WINDOWS\system32\winkh32.dll
O2 - BHO: Class - {2CB91DCB-A5E9-DD47-0B46-E2380FC72EF2} - C:\WINDOWS\mfcpi32.dll
O2 - BHO: Class - {2FC735CE-855B-F1B2-A6ED-CAEA0E1EA230} - C:\WINDOWS\nthz.dll
O2 - BHO: Class - {30463195-A68F-5D9B-95C6-6E9E1788E6F2} - C:\WINDOWS\system32\iesb.dll
O2 - BHO: Class - {3EAF3A17-CC8D-5DC9-285D-C38B83233D28} - C:\WINDOWS\ieqs32.dll
O2 - BHO: Class - {40959590-5A08-A012-E5CC-72E14627D513} - C:\WINDOWS\mfcrs32.dll
O2 - BHO: Class - {5A23A6D7-97E3-2631-C5AA-E8733BB4E5DB} - C:\WINDOWS\crev32.dll
O2 - BHO: Class - {62883FE9-57A7-4A38-F908-7FA3F3C59429} - C:\WINDOWS\system32\javanz.dll
O2 - BHO: Class - {6518F4B3-A15F-E14C-71F3-61A49FC2A684} - C:\WINDOWS\system32\mfcnz.dll
O2 - BHO: Class - {66A15FEE-5E94-86FB-0CE6-EC4939529CDA} - C:\WINDOWS\mswj.dll
O2 - BHO: Class - {72763199-C2D7-3547-5C10-D62AF7ADE07C} - C:\WINDOWS\system32\apifm32.dll
O2 - BHO: Class - {7339C21E-5D1D-F6EF-29FC-8E7E97E8C4F9} - C:\WINDOWS\sdkxv32.dll
O2 - BHO: Class - {7C5F07FA-EE61-E2CA-7AC9-845516B1F196} - C:\WINDOWS\netjx.dll
O2 - BHO: Class - {8002B6F0-0D81-F712-A8F6-D0072EF4DAA2} - C:\WINDOWS\apivd32.dll
O2 - BHO: Class - {88260434-8547-32F0-C3AF-72B7C69C143F} - C:\WINDOWS\system32\syswm.dll
O2 - BHO: Class - {88CA47DE-D491-40E1-D009-5594D634627D} - C:\WINDOWS\sysix.dll
O2 - BHO: Class - {9414B585-09CB-B343-09D8-5DC5D2B786EF} - C:\WINDOWS\system32\atlao.dll
O2 - BHO: Class - {94FA607F-D21C-7B55-1D1B-1A9DE22BEE8D} - C:\WINDOWS\system32\appuu32.dll
O2 - BHO: Class - {9AB0AEAF-5C00-97B4-67EB-26FA674D4DA9} - C:\WINDOWS\system32\netlz.dll
O2 - BHO: Class - {A8955C5E-7D09-18F5-1D0E-99FB9B61BC16} - C:\WINDOWS\system32\addqb32.dll
O2 - BHO: Class - {A8F51229-8EF3-4D90-8BE3-E843327D6F95} - C:\WINDOWS\iere.dll
O2 - BHO: Class - {A96C5AC5-3757-499C-81C5-9CE344BBEFEC} - C:\WINDOWS\ipbd32.dll
O2 - BHO: Class - {A989B009-49B7-5A55-1A34-1D32EE1EA30B} - C:\WINDOWS\ntfq.dll
O2 - BHO: Class - {ABA388C5-AC45-44CB-9816-6536A674986F} - C:\WINDOWS\system32\sdkvu32.dll
O2 - BHO: Class - {AF3FF52D-6CB5-60E4-3DF7-76172788BE5E} - C:\WINDOWS\atlyf.dll
O2 - BHO: Class - {B012290B-F6CB-AE54-0C3F-C8D408BBF992} - C:\WINDOWS\system32\ieeh32.dll
O2 - BHO: Class - {B11BCDC9-1DD6-8BB6-933F-3824A67B8492} - C:\WINDOWS\appks32.dll
O2 - BHO: Class - {B849DA45-86A4-E0DA-DD53-02A7363DFCC4} - C:\WINDOWS\winmq32.dll
O2 - BHO: Class - {C10E70B6-0A9C-EFB9-C902-4055C2D7F322} - C:\WINDOWS\addst.dll
O2 - BHO: Class - {C211B80E-58BE-0087-621D-A487AE79FA25} - C:\WINDOWS\atlwd.dll
O2 - BHO: Class - {C2FA80DA-98A5-92AA-61BD-3EDED8569F27} - C:\WINDOWS\sysyw.dll
O2 - BHO: Class - {C8E09CC6-5143-0AEA-9C0D-D61F50C10ABA} - C:\WINDOWS\javalq.dll
O2 - BHO: Class - {CBE5F226-BD90-1454-83F4-2686C681720C} - C:\WINDOWS\system32\sdkgh.dll
O2 - BHO: Class - {CDF9636C-D75A-2630-DA17-CE41F76F5491} - C:\WINDOWS\sysud.dll
O2 - BHO: Class - {D8F86D1C-DCB4-B7F0-F514-1EC3928A742B} - C:\WINDOWS\addal.dll
O2 - BHO: Class - {E4406573-EB81-A46C-2815-B4F90C430E29} - C:\WINDOWS\system32\apprg.dll
O2 - BHO: Class - {EE5E8D85-5C41-AEAB-016D-094F74F518E8} - C:\WINDOWS\system32\ntrb.dll
O2 - BHO: Class - {F0E095A0-3EA9-8479-E393-7CB483F3BC0D} - C:\WINDOWS\system32\apiho.dll
O2 - BHO: Class - {F24066EC-902B-5FD0-38BE-FCBA8F762791} - C:\WINDOWS\winpy32.dll
O2 - BHO: Class - {F54252AB-AF1A-DA2D-3827-1F172DB2A621} - C:\WINDOWS\system32\crgf32.dll
O2 - BHO: Class - {F5E4007D-5064-4A70-D8DC-AF529CC13F3F} - C:\WINDOWS\system32\winos32.dll
O2 - BHO: Class - {F61C43C0-8F6A-C654-1213-B906276F3ADF} - C:\WINDOWS\msli32.dll
O2 - BHO: Class - {F9B1B847-EF94-1E89-A740-CBCBD8346C87} - C:\WINDOWS\system32\msaw32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [apiik32.exe] C:\WINDOWS\system32\apiik32.exe
O4 - HKLM\..\RunOnce: [winyn32.exe] C:\WINDOWS\winyn32.exe
O4 - HKLM\..\RunOnce: [mfcmq.exe] C:\WINDOWS\system32\mfcmq.exe
O4 - HKLM\..\RunOnce: [appcl.exe] C:\WINDOWS\system32\appcl.exe
O4 - HKLM\..\RunOnce: [netgp32.exe] C:\WINDOWS\netgp32.exe
O4 - HKLM\..\RunOnce: [adddv32.exe] C:\WINDOWS\system32\adddv32.exe
O4 - HKLM\..\RunOnce: [netce.exe] C:\WINDOWS\system32\netce.exe
O4 - HKLM\..\RunOnce: [syskc32.exe] C:\WINDOWS\syskc32.exe
O4 - HKLM\..\RunOnce: [sdkqe.exe] C:\WINDOWS\sdkqe.exe
O4 - HKLM\..\RunOnce: [netft.exe] C:\WINDOWS\netft.exe
O4 - HKLM\..\RunOnce: [addko32.exe] C:\WINDOWS\system32\addko32.exe
O4 - HKLM\..\RunOnce: [addnf.exe] C:\WINDOWS\addnf.exe
O4 - HKLM\..\RunOnce: [msyw.exe] C:\WINDOWS\system32\msyw.exe
O4 - HKLM\..\RunOnce: [sysxd.exe] C:\WINDOWS\sysxd.exe
O4 - HKLM\..\RunOnce: [mfcqa.exe] C:\WINDOWS\system32\mfcqa.exe
O4 - HKLM\..\RunOnce: [sdklo.exe] C:\WINDOWS\system32\sdklo.exe
O4 - HKLM\..\RunOnce: [ieid32.exe] C:\WINDOWS\ieid32.exe
O4 - HKLM\..\RunOnce: [appzs32.exe] C:\WINDOWS\appzs32.exe
O4 - HKLM\..\RunOnce: [javatm32.exe] C:\WINDOWS\javatm32.exe
O4 - HKLM\..\RunOnce: [mfcmd.exe] C:\WINDOWS\mfcmd.exe
O4 - HKLM\..\RunOnce: [sdkqh.exe] C:\WINDOWS\sdkqh.exe
O4 - HKLM\..\RunOnce: [d3bi32.exe] C:\WINDOWS\d3bi32.exe
O4 - HKLM\..\RunOnce: [winzp.exe] C:\WINDOWS\winzp.exe
O4 - HKLM\..\RunOnce: [mfcvt32.exe] C:\WINDOWS\system32\mfcvt32.exe
O4 - HKLM\..\RunOnce: [addfu.exe] C:\WINDOWS\addfu.exe
O4 - HKLM\..\RunOnce: [ielh.exe] C:\WINDOWS\ielh.exe
O4 - HKLM\..\RunOnce: [sdkqj32.exe] C:\WINDOWS\system32\sdkqj32.exe
O4 - HKLM\..\RunOnce: [appnw.exe] C:\WINDOWS\appnw.exe
O4 - HKLM\..\RunOnce: [ipgt.exe] C:\WINDOWS\system32\ipgt.exe
O4 - HKLM\..\RunOnce: [ipam32.exe] C:\WINDOWS\system32\ipam32.exe
O4 - HKLM\..\RunOnce: [appfg.exe] C:\WINDOWS\system32\appfg.exe
O4 - HKLM\..\RunOnce: [apied.exe] C:\WINDOWS\apied.exe
O4 - HKLM\..\RunOnce: [sysjf32.exe] C:\WINDOWS\sysjf32.exe
O4 - HKLM\..\RunOnce: [winjn32.exe] C:\WINDOWS\winjn32.exe
O4 - HKLM\..\RunOnce: [sysgi.exe] C:\WINDOWS\system32\sysgi.exe
O4 - HKLM\..\RunOnce: [iehi32.exe] C:\WINDOWS\iehi32.exe
O4 - HKLM\..\RunOnce: [sdkmk.exe] C:\WINDOWS\sdkmk.exe
O4 - HKLM\..\RunOnce: [syseo32.exe] C:\WINDOWS\system32\syseo32.exe
O4 - HKLM\..\RunOnce: [javasw.exe] C:\WINDOWS\system32\javasw.exe
O4 - HKLM\..\RunOnce: [apifr32.exe] C:\WINDOWS\apifr32.exe
O4 - HKLM\..\RunOnce: [winzw.exe] C:\WINDOWS\system32\winzw.exe
O4 - HKLM\..\RunOnce: [ieiw32.exe] C:\WINDOWS\ieiw32.exe
O4 - HKLM\..\RunOnce: [ntcv.exe] C:\WINDOWS\system32\ntcv.exe
O4 - HKLM\..\RunOnce: [winwg.exe] C:\WINDOWS\winwg.exe
O4 - HKLM\..\RunOnce: [msmn32.exe] C:\WINDOWS\msmn32.exe
O4 - HKLM\..\RunOnce: [atlbd32.exe] C:\WINDOWS\system32\atlbd32.exe
O4 - HKLM\..\RunOnce: [winll.exe] C:\WINDOWS\system32\winll.exe
O4 - HKLM\..\RunOnce: [addqa32.exe] C:\WINDOWS\system32\addqa32.exe
O4 - HKLM\..\RunOnce: [winfx32.exe] C:\WINDOWS\winfx32.exe
O4 - HKLM\..\RunOnce: [addnn32.exe] C:\WINDOWS\addnn32.exe
O4 - HKLM\..\RunOnce: [mfcrr.exe] C:\WINDOWS\system32\mfcrr.exe
O4 - HKLM\..\RunOnce: [atlsr32.exe] C:\WINDOWS\atlsr32.exe
O4 - HKLM\..\RunOnce: [mslk.exe] C:\WINDOWS\mslk.exe
O4 - HKLM\..\RunOnce: [sdkpo.exe] C:\WINDOWS\system32\sdkpo.exe
O4 - HKLM\..\RunOnce: [winyv32.exe] C:\WINDOWS\system32\winyv32.exe
O4 - HKLM\..\RunOnce: [d3pk.exe] C:\WINDOWS\d3pk.exe
O4 - HKLM\..\RunOnce: [ipoa32.exe] C:\WINDOWS\ipoa32.exe
O4 - HKLM\..\RunOnce: [atlmp32.exe] C:\WINDOWS\system32\atlmp32.exe
O4 - HKLM\..\RunOnce: [mfcmx.exe] C:\WINDOWS\system32\mfcmx.exe
O4 - HKLM\..\RunOnce: [appux.exe] C:\WINDOWS\system32\appux.exe
O4 - HKLM\..\RunOnce: [ntkv32.exe] C:\WINDOWS\ntkv32.exe
O4 - HKLM\..\RunOnce: [d3ac32.exe] C:\WINDOWS\system32\d3ac32.exe
O4 - HKLM\..\RunOnce: [sdkvg.exe] C:\WINDOWS\system32\sdkvg.exe
O4 - HKLM\..\RunOnce: [mfccv32.exe] C:\WINDOWS\system32\mfccv32.exe
O4 - HKLM\..\RunOnce: [winsl32.exe] C:\WINDOWS\winsl32.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\mfcor32.exe
O4 - HKLM\..\RunOnce: [crgv32.exe] C:\WINDOWS\crgv32.exe
O4 - HKLM\..\RunOnce: [ipwd.exe] C:\WINDOWS\system32\ipwd.exe
O4 - HKLM\..\RunOnce: [d3au.exe] C:\WINDOWS\system32\d3au.exe
O4 - HKLM\..\RunOnce: [netor.exe] C:\WINDOWS\system32\netor.exe
O4 - HKLM\..\RunOnce: [msic.exe] C:\WINDOWS\system32\msic.exe
O4 - HKLM\..\RunOnce: [crxs.exe] C:\WINDOWS\system32\crxs.exe
O4 - HKLM\..\RunOnce: [netik32.exe] C:\WINDOWS\netik32.exe
O4 - HKLM\..\RunOnce: [appgy32.exe] C:\WINDOWS\system32\appgy32.exe
O4 - HKLM\..\RunOnce: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKLM\..\RunOnce: [ipwn.exe] C:\WINDOWS\ipwn.exe
O4 - HKLM\..\RunOnce: [crgo32.exe] C:\WINDOWS\crgo32.exe
O4 - HKLM\..\RunOnce: [iefv.exe] C:\WINDOWS\iefv.exe
O4 - HKLM\..\RunOnce: [atlaz32.exe] C:\WINDOWS\atlaz32.exe
O4 - HKLM\..\RunOnce: [winka.exe] C:\WINDOWS\winka.exe
O4 - HKLM\..\RunOnce: [ipti32.exe] C:\WINDOWS\ipti32.exe
O4 - HKLM\..\RunOnce: [ipid32.exe] C:\WINDOWS\system32\ipid32.exe
O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\javavf32.exe
O4 - HKLM\..\RunOnce: [atloy32.exe] C:\WINDOWS\atloy32.exe
O4 - HKLM\..\RunOnce: [mfcog32.exe] C:\WINDOWS\mfcog32.exe
O4 - HKLM\..\RunOnce: [sdkyh32.exe] C:\WINDOWS\sdkyh32.exe
O4 - HKLM\..\RunOnce: [appyp.exe] C:\WINDOWS\system32\appyp.exe
O4 - HKLM\..\RunOnce: [iect.exe] C:\WINDOWS\system32\iect.exe
O4 - HKLM\..\RunOnce: [mfcrq32.exe] C:\WINDOWS\mfcrq32.exe
O4 - HKLM\..\RunOnce: [iphx.exe] C:\WINDOWS\iphx.exe
O4 - HKLM\..\RunOnce: [d3lt32.exe] C:\WINDOWS\d3lt32.exe
O4 - HKLM\..\RunOnce: [addpl32.exe] C:\WINDOWS\system32\addpl32.exe
O4 - HKLM\..\RunOnce: [msob.exe] C:\WINDOWS\msob.exe
O4 - HKLM\..\RunOnce: [ipni32.exe] C:\WINDOWS\system32\ipni32.exe
O4 - HKLM\..\RunOnce: [atldy32.exe] C:\WINDOWS\atldy32.exe
O4 - HKLM\..\RunOnce: [mfclo.exe] C:\WINDOWS\mfclo.exe
O4 - HKLM\..\RunOnce: [msri32.exe] C:\WINDOWS\system32\msri32.exe
O4 - HKLM\..\RunOnce: [winvn.exe] C:\WINDOWS\system32\winvn.exe
O4 - HKLM\..\RunOnce: [sysen32.exe] C:\WINDOWS\sysen32.exe
O4 - HKLM\..\RunOnce: [ietk32.exe] C:\WINDOWS\system32\ietk32.exe
O4 - HKLM\..\RunOnce: [sdkyg32.exe] C:\WINDOWS\system32\sdkyg32.exe
O4 - HKLM\..\RunOnce: [systa32.exe] C:\WINDOWS\systa32.exe
O4 - HKLM\..\RunOnce: [ipqs32.exe] C:\WINDOWS\system32\ipqs32.exe
O4 - HKLM\..\RunOnce: [javavx.exe] C:\WINDOWS\javavx.exe
O4 - HKLM\..\RunOnce: [atljz.exe] C:\WINDOWS\system32\atljz.exe
O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\winnd.exe
O4 - HKLM\..\RunOnce: [apica32.exe] C:\WINDOWS\apica32.exe
O4 - HKLM\..\RunOnce: [sdksi.exe] C:\WINDOWS\sdksi.exe
O4 - HKLM\..\RunOnce: [mswm32.exe] C:\WINDOWS\system32\mswm32.exe
O4 - HKLM\..\RunOnce: [appbw32.exe] C:\WINDOWS\appbw32.exe
O4 - HKLM\..\RunOnce: [ierl32.exe] C:\WINDOWS\system32\ierl32.exe
O4 - HKLM\..\RunOnce: [javaev32.exe] C:\WINDOWS\javaev32.exe
O4 - HKLM\..\RunOnce: [netcd32.exe] C:\WINDOWS\system32\netcd32.exe
O4 - HKLM\..\RunOnce: [netct.exe] C:\WINDOWS\netct.exe
O4 - HKLM\..\RunOnce: [ntjd32.exe] C:\WINDOWS\system32\ntjd32.exe
O4 - HKLM\..\RunOnce: [atlof.exe] C:\WINDOWS\atlof.exe
O4 - HKLM\..\RunOnce: [ntzl.exe] C:\WINDOWS\system32\ntzl.exe
O4 - HKLM\..\RunOnce: [appeg32.exe] C:\WINDOWS\appeg32.exe
O4 - HKLM\..\RunOnce: [atljy.exe] C:\WINDOWS\atljy.exe
O4 - HKLM\..\RunOnce: [nttv.exe] C:\WINDOWS\system32\nttv.exe
O4 - HKLM\..\RunOnce: [addei.exe] C:\WINDOWS\addei.exe
O4 - HKLM\..\RunOnce: [netxe32.exe] C:\WINDOWS\system32\netxe32.exe
O4 - HKLM\..\RunOnce: [appws32.exe] C:\WINDOWS\appws32.exe
O4 - HKLM\..\RunOnce: [ntta32.exe] C:\WINDOWS\ntta32.exe
O4 - HKLM\..\RunOnce: [ntjr.exe] C:\WINDOWS\system32\ntjr.exe
O4 - HKLM\..\RunOnce: [mfcbm.exe] C:\WINDOWS\system32\mfcbm.exe
O4 - HKLM\..\RunOnce: [sysog.exe] C:\WINDOWS\system32\sysog.exe
O4 - HKLM\..\RunOnce: [ntfo.exe] C:\WINDOWS\system32\ntfo.exe
O4 - HKLM\..\RunOnce: [ipom.exe] C:\WINDOWS\ipom.exe
O4 - HKLM\..\RunOnce: [appuo.exe] C:\WINDOWS\system32\appuo.exe
O4 - HKLM\..\RunOnce: [d3te32.exe] C:\WINDOWS\d3te32.exe
O4 - HKLM\..\RunOnce: [ipgy.exe] C:\WINDOWS\system32\ipgy.exe
O4 - HKLM\..\RunOnce: [addbb.exe] C:\WINDOWS\system32\addbb.exe
O4 - HKLM\..\RunOnce: [javahv.exe] C:\WINDOWS\javahv.exe
O4 - HKLM\..\RunOnce: [mfcdf.exe] C:\WINDOWS\system32\mfcdf.exe
O4 - HKLM\..\RunOnce: [sysji32.exe] C:\WINDOWS\sysji32.exe
O4 - HKLM\..\RunOnce: [apimr32.exe] C:\WINDOWS\system32\apimr32.exe
O4 - HKLM\..\RunOnce: [sdkdz.exe] C:\WINDOWS\system32\sdkdz.exe
O4 - HKLM\..\RunOnce: [atlib32.exe] C:\WINDOWS\atlib32.exe
O4 - HKLM\..\RunOnce: [apibm.exe] C:\WINDOWS\apibm.exe
O4 - HKLM\..\RunOnce: [sysho32.exe] C:\WINDOWS\system32\sysho32.exe
O4 - HKLM\..\RunOnce: [addaz.exe] C:\WINDOWS\system32\addaz.exe
O4 - HKLM\..\RunOnce: [crfu32.exe] C:\WINDOWS\crfu32.exe
O4 - HKLM\..\RunOnce: [apitw32.exe] C:\WINDOWS\system32\apitw32.exe
O4 - HKLM\..\RunOnce: [d3dc.exe] C:\WINDOWS\system32\d3dc.exe
O4 - HKLM\..\RunOnce: [sdknb.exe] C:\WINDOWS\system32\sdknb.exe
O4 - HKLM\..\RunOnce: [mfcsd32.exe] C:\WINDOWS\system32\mfcsd32.exe
O4 - HKLM\..\RunOnce: [syszq.exe] C:\WINDOWS\system32\syszq.exe
O4 - HKLM\..\RunOnce: [sdkfl32.exe] C:\WINDOWS\system32\sdkfl32.exe
O4 - HKLM\..\RunOnce: [javafb32.exe] C:\WINDOWS\system32\javafb32.exe
O4 - HKLM\..\RunOnce: [apisv32.exe] C:\WINDOWS\system32\apisv32.exe
O4 - HKLM\..\RunOnce: [javabv32.exe] C:\WINDOWS\javabv32.exe
O4 - HKLM\..\RunOnce: [mfchp.exe] C:\WINDOWS\system32\mfchp.exe
O4 - HKLM\..\RunOnce: [javawn32.exe] C:\WINDOWS\javawn32.exe
O4 - HKLM\..\RunOnce: [msmu.exe] C:\WINDOWS\msmu.exe
O4 - HKLM\..\RunOnce: [addqy32.exe] C:\WINDOWS\addqy32.exe
O4 - HKLM\..\RunOnce: [sysaz.exe] C:\WINDOWS\sysaz.exe
O4 - HKLM\..\RunOnce: [netjh.exe] C:\WINDOWS\netjh.exe
O4 - HKLM\..\RunOnce: [ieds32.exe] C:\WINDOWS\ieds32.exe
O4 - HKLM\..\RunOnce: [addta32.exe] C:\WINDOWS\addta32.exe
O4 - HKLM\..\RunOnce: [sdksj.exe] C:\WINDOWS\sdksj.exe
O4 - HKLM\..\RunOnce: [atlyd.exe] C:\WINDOWS\atlyd.exe
O4 - HKLM\..\RunOnce: [d3zr.exe] C:\WINDOWS\d3zr.exe
O4 - HKLM\..\RunOnce: [netel.exe] C:\WINDOWS\netel.exe
O4 - HKLM\..\RunOnce: [sysmr.exe] C:\WINDOWS\system32\sysmr.exe
O4 - HKLM\..\RunOnce: [javast.exe] C:\WINDOWS\javast.exe
O4 - HKLM\..\RunOnce: [addnd32.exe] C:\WINDOWS\addnd32.exe
O4 - HKLM\..\RunOnce: [d3sx.exe] C:\WINDOWS\system32\d3sx.exe
O4 - HKLM\..\RunOnce: [apppu32.exe] C:\WINDOWS\apppu32.exe
O4 - HKLM\..\RunOnce: [d3uo.exe] C:\WINDOWS\d3uo.exe
O4 - HKLM\..\RunOnce: [msal.exe] C:\WINDOWS\system32\msal.exe
O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\system32\ipff32.exe
O4 - HKLM\..\RunOnce: [netda32.exe] C:\WINDOWS\system32\netda32.exe
O4 - HKLM\..\RunOnce: [winjc.exe] C:\WINDOWS\system32\winjc.exe
O4 - HKLM\..\RunOnce: [ntdo.exe] C:\WINDOWS\ntdo.exe
O4 - HKLM\..\RunOnce: [atlii32.exe] C:\WINDOWS\atlii32.exe
O4 - HKLM\..\RunOnce: [netgp.exe] C:\WINDOWS\netgp.exe
O4 - HKLM\..\RunOnce: [d3wk32.exe] C:\WINDOWS\d3wk32.exe
O4 - HKLM\..\RunOnce: [netbe.exe] C:\WINDOWS\netbe.exe
O4 - HKLM\..\RunOnce: [apikf32.exe] C:\WINDOWS\system32\apikf32.exe
O4 - HKLM\..\RunOnce: [winqh.exe] C:\WINDOWS\system32\winqh.exe
O4 - HKLM\..\RunOnce: [mfcoc32.exe] C:\WINDOWS\system32\mfcoc32.exe
O4 - HKLM\..\RunOnce: [syscw.exe] C:\WINDOWS\syscw.exe
O4 - HKLM\..\RunOnce: [atlgy.exe] C:\WINDOWS\atlgy.exe
O4 - HKLM\..\RunOnce: [apphw.exe] C:\WINDOWS\system32\apphw.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\system32\ipuo.exe
O4 - HKLM\..\RunOnce: [apptc32.exe] C:\WINDOWS\system32\apptc32.exe
O4 - HKLM\..\RunOnce: [d3yw.exe] C:\WINDOWS\system32\d3yw.exe
O4 - HKLM\..\RunOnce: [iemy32.exe] C:\WINDOWS\iemy32.exe
O4 - HKLM\..\RunOnce: [crri.exe] C:\WINDOWS\system32\crri.exe
O4 - HKLM\..\RunOnce: [apiel32.exe] C:\WINDOWS\system32\apiel32.exe
O4 - HKLM\..\RunOnce: [netet.exe] C:\WINDOWS\system32\netet.exe
O4 - HKLM\..\RunOnce: [d3hc32.exe] C:\WINDOWS\system32\d3hc32.exe
O4 - HKLM\..\RunOnce: [ipne32.exe] C:\WINDOWS\system32\ipne32.exe
O4 - HKLM\..\RunOnce: [mslp.exe] C:\WINDOWS\mslp.exe
O4 - HKLM\..\RunOnce: [sdkpb.exe] C:\WINDOWS\system32\sdkpb.exe
O4 - HKLM\..\RunOnce: [mfcuv32.exe] C:\WINDOWS\mfcuv32.exe
O4 - HKLM\..\RunOnce: [appec.exe] C:\WINDOWS\appec.exe
O4 - HKLM\..\RunOnce: [ipcr32.exe] C:\WINDOWS\system32\ipcr32.exe
O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
O4 - HKLM\..\RunOnce: [apivt.exe] C:\WINDOWS\apivt.exe
O4 - HKLM\..\RunOnce: [appka.exe] C:\WINDOWS\system32\appka.exe
O4 - HKLM\..\RunOnce: [mspd32.exe] C:\WINDOWS\system32\mspd32.exe
O4 - HKLM\..\RunOnce: [winvf.exe] C:\WINDOWS\winvf.exe
O4 - HKLM\..\RunOnce: [javaiz32.exe] C:\WINDOWS\system32\javaiz32.exe
O4 - HKLM\..\RunOnce: [netnj32.exe] C:\WINDOWS\system32\netnj32.exe
O4 - HKLM\..\RunOnce: [applz32.exe] C:\WINDOWS\applz32.exe
O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe
O4 - HKLM\..\RunOnce: [netqa32.exe] C:\WINDOWS\netqa32.exe
O4 - HKLM\..\RunOnce: [winvv.exe] C:\WINDOWS\system32\winvv.exe
O4 - HKLM\..\RunOnce: [netlq32.exe] C:\WINDOWS\netlq32.exe
O4 - HKLM\..\RunOnce: [addyk.exe] C:\WINDOWS\addyk.exe
O4 - HKLM\..\RunOnce: [syszk32.exe] C:\WINDOWS\system32\syszk32.exe
O4 - HKLM\..\RunOnce: [javaem.exe] C:\WINDOWS\system32\javaem.exe
O4 - HKLM\..\RunOnce: [ipiq.exe] C:\WINDOWS\system32\ipiq.exe
O4 - HKLM\..\RunOnce: [addns32.exe] C:\WINDOWS\system32\addns32.exe
O4 - HKLM\..\RunOnce: [mfcax.exe] C:\WINDOWS\system32\mfcax.exe
O4 - HKLM\..\RunOnce: [sysgr32.exe] C:\WINDOWS\system32\sysgr32.exe
O4 - HKLM\..\RunOnce: [crwg.exe] C:\WINDOWS\crwg.exe
O4 - HKLM\..\RunOnce: [apijj32.exe] C:\WINDOWS\apijj32.exe
O4 - HKLM\..\RunOnce: [winuz.exe] C:\WINDOWS\system32\winuz.exe
O4 - HKLM\..\RunOnce: [crzt32.exe] C:\WINDOWS\system32\crzt32.exe
O4 - HKLM\..\RunOnce: [addcf32.exe] C:\WINDOWS\system32\addcf32.exe
O4 - HKLM\..\RunOnce: [d3ih.exe] C:\WINDOWS\system32\d3ih.exe
O4 - HKLM\..\RunOnce: [iphv32.exe] C:\WINDOWS\system32\iphv32.exe
O4 - HKLM\..\RunOnce: [ippd32.exe] C:\WINDOWS\system32\ippd32.exe
O4 - HKLM\..\RunOnce: [appuf.exe] C:\WINDOWS\system32\appuf.exe
O4 - HKLM\..\RunOnce: [mfctn.exe] C:\WINDOWS\mfctn.exe
O4 - HKLM\..\RunOnce: [syszh.exe] C:\WINDOWS\system32\syszh.exe
O4 - HKLM\..\RunOnce: [mscr.exe] C:\WINDOWS\system32\mscr.exe
O4 - HKLM\..\RunOnce: [ipil32.exe] C:\WINDOWS\ipil32.exe
O4 - HKLM\..\RunOnce: [winit32.exe] C:\WINDOWS\system32\winit32.exe
O4 - HKLM\..\RunOnce: [javavn.exe] C:\WINDOWS\system32\javavn.exe
O4 - HKLM\..\RunOnce: [mfcgo.exe] C:\WINDOWS\mfcgo.exe
O4 - HKLM\..\RunOnce: [systi32.exe] C:\WINDOWS\system32\systi32.exe
O4 - HKLM\..\RunOnce: [wintq32.exe] C:\WINDOWS\system32\wintq32.exe
O4 - HKLM\..\RunOnce: [apien.exe] C:\WINDOWS\system32\apien.exe
O4 - HKLM\..\RunOnce: [iesr.exe] C:\WINDOWS\system32\iesr.exe
O4 - HKLM\..\RunOnce: [sdkxl32.exe] C:\WINDOWS\system32\sdkxl32.exe
O4 - HKLM\..\RunOnce: [winla.exe] C:\WINDOWS\system32\winla.exe
O4 - HKLM\..\RunOnce: [javarc32.exe] C:\WINDOWS\javarc32.exe
O4 - HKLM\..\RunOnce: [winuo.exe] C:\WINDOWS\system32\winuo.exe
O4 - HKLM\..\RunOnce: [crzi32.exe] C:\WINDOWS\crzi32.exe
O4 - HKLM\..\RunOnce: [ieen.exe] C:\WINDOWS\system32\ieen.exe
O4 - HKLM\..\RunOnce: [sdkjp32.exe] C:\WINDOWS\system32\sdkjp32.exe
O4 - HKLM\..\RunOnce: [mfche.exe] C:\WINDOWS\mfche.exe
O4 - HKLM\..\RunOnce: [sysgm32.exe] C:\WINDOWS\sysgm32.exe
O4 - HKLM\..\RunOnce: [apike32.exe] C:\WINDOWS\apike32.exe
O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
O4 - HKLM\..\RunOnce: [mswp32.exe] C:\WINDOWS\mswp32.exe
O4 - HKLM\..\RunOnce: [croq.exe] C:\WINDOWS\croq.exe
O4 - HKLM\..\RunOnce: [crtm32.exe] C:\WINDOWS\crtm32.exe
O4 - HKLM\..\RunOnce: [crib32.exe] C:\WINDOWS\system32\crib32.exe
O4 - HKLM\..\RunOnce: [apinf32.exe] C:\WINDOWS\apinf32.exe
O4 - HKLM\..\RunOnce: [crir32.exe] C:\WINDOWS\system32\crir32.exe
O4 - HKLM\..\RunOnce: [iemv.exe] C:\WINDOWS\iemv.exe
O4 - HKLM\..\RunOnce: [msvw32.exe] C:\WINDOWS\system32\msvw32.exe
O4 - HKLM\..\RunOnce: [d3cs32.exe] C:\WINDOWS\d3cs32.exe
O4 - HKLM\..\RunOnce: [ipgp.exe] C:\WINDOWS\system32\ipgp.exe
O4 - HKLM\..\RunOnce: [mfckb.exe] C:\WINDOWS\mfckb.exe
O4 - HKLM\..\RunOnce: [mfcnk32.exe] C:\WINDOWS\mfcnk32.exe
O4 - HKLM\..\RunOnce: [ieso32.exe] C:\WINDOWS\ieso32.exe
O4 - HKLM\..\RunOnce: [apina32.exe] C:\WINDOWS\system32\apina32.exe
O4 - HKLM\..\RunOnce: [ipse.exe] C:\WINDOWS\system32\ipse.exe
O4 - HKLM\..\RunOnce: [netaf32.exe] C:\WINDOWS\system32\netaf32.exe
O4 - HKLM\..\RunOnce: [nethc.exe] C:\WINDOWS\system32\nethc.exe
O4 - HKLM\..\RunOnce: [netvq.exe] C:\WINDOWS\system32\netvq.exe
O4 - HKLM\..\RunOnce: [sysav.exe] C:\WINDOWS\sysav.exe
O4 - HKLM\..\RunOnce: [ipug.exe] C:\WINDOWS\system32\ipug.exe
O4 - HKLM\..\RunOnce: [mfckn.exe] C:\WINDOWS\system32\mfckn.exe
O4 - HKLM\..\RunOnce: [winug32.exe] C:\WINDOWS\winug32.exe
O4 - HKLM\..\RunOnce: [addoz.exe] C:\WINDOWS\addoz.exe
O4 - HKLM\..\RunOnce: [msmn.exe] C:\WINDOWS\system32\msmn.exe
O4 - HKLM\..\RunOnce: [addir.exe] C:\WINDOWS\addir.exe
O4 - HKLM\..\RunOnce: [apibj32.exe] C:\WINDOWS\system32\apibj32.exe
O4 - HKLM\..\RunOnce: [ntrr.exe] C:\WINDOWS\system32\ntrr.exe
O4 - HKLM\..\RunOnce: [d3vv32.exe] C:\WINDOWS\d3vv32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\javafd.exe
O4 - HKLM\..\RunOnce: [crks32.exe] C:\WINDOWS\crks32.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\system32\javazp32.exe
O4 - HKLM\..\RunOnce: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - HKLM\..\RunOnce: [crzf32.exe] C:\WINDOWS\system32\crzf32.exe
O4 - HKLM\..\RunOnce: [iedj.exe] C:\WINDOWS\iedj.exe
O4 - HKLM\..\RunOnce: [d3mj32.exe] C:\WINDOWS\system32\d3mj32.exe
O4 - HKLM\..\RunOnce: [netgb.exe] C:\WINDOWS\netgb.exe
O4 - HKLM\..\RunOnce: [ieam.exe] C:\WINDOWS\system32\ieam.exe
O4 - HKLM\..\RunOnce: [crqb.exe] C:\WINDOWS\system32\crqb.exe
O4 - HKLM\..\RunOnce: [netau32.exe] C:\WINDOWS\netau32.exe
O4 - HKLM\..\RunOnce: [nttf32.exe] C:\WINDOWS\system32\nttf32.exe
O4 - HKLM\..\RunOnce: [appyb32.exe] C:\WINDOWS\system32\appyb32.exe
O4 - HKLM\..\RunOnce: [sdktn.exe] C:\WINDOWS\sdktn.exe
O4 - HKLM\..\RunOnce: [apixz.exe] C:\WINDOWS\apixz.exe
O4 - HKLM\..\RunOnce: [crmo32.exe] C:\WINDOWS\system32\crmo32.exe
O4 - HKLM\..\RunOnce: [iedw.exe] C:\WINDOWS\system32\iedw.exe
O4 - HKLM\..\RunOnce: [atlha32.exe] C:\WINDOWS\system32\atlha32.exe
O4 - HKLM\..\RunOnce: [winqa.exe] C:\WINDOWS\system32\winqa.exe
O4 - HKLM\..\RunOnce: [addwx32.exe] C:\WINDOWS\system32\addwx32.exe
O4 - HKLM\..\RunOnce: [ntfd.exe] C:\WINDOWS\system32\ntfd.exe
O4 - HKLM\..\RunOnce: [ievs32.exe] C:\WINDOWS\ievs32.exe
O4 - HKLM\..\RunOnce: [addti.exe] C:\WINDOWS\addti.exe
O4 - HKLM\..\RunOnce: [apipe32.exe] C:\WINDOWS\system32\apipe32.exe
O4 - HKLM\..\RunOnce: [atlym.exe] C:\WINDOWS\atlym.exe
O4 - HKLM\..\RunOnce: [atlmb32.exe] C:\WINDOWS\system32\atlmb32.exe
O4 - HKLM\..\RunOnce: [atlsy32.exe] C:\WINDOWS\atlsy32.exe
O4 - HKLM\..\RunOnce: [msxc32.exe] C:\WINDOWS\msxc32.exe
O4 - HKLM\..\RunOnce: [mfcao.exe] C:\WINDOWS\mfcao.exe
O4 - HKLM\..\RunOnce: [wines32.exe] C:\WINDOWS\system32\wines32.exe
O4 - HKLM\..\RunOnce: [d3uh.exe] C:\WINDOWS\d3uh.exe
O4 - HKLM\..\RunOnce: [iptx32.exe] C:\WINDOWS\iptx32.exe
O4 - HKLM\..\RunOnce: [msxg32.exe] C:\WINDOWS\system32\msxg32.exe
O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
O4 - HKLM\..\RunOnce: [apirs.exe] C:\WINDOWS\apirs.exe
O4 - HKLM\..\RunOnce: [sdkct32.exe] C:\WINDOWS\system32\sdkct32.exe
O4 - HKLM\..\RunOnce: [d3aa.exe] C:\WINDOWS\d3aa.exe
O4 - HKLM\..\RunOnce: [winwe32.exe] C:\WINDOWS\winwe32.exe
O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\ieff.exe
O4 - HKLM\..\RunOnce: [apion.exe] C:\WINDOWS\system32\apion.exe
O4 - HKLM\..\RunOnce: [d3iy32.exe] C:\WINDOWS\d3iy32.exe
O4 - HKLM\..\RunOnce: [winzg32.exe] C:\WINDOWS\winzg32.exe
O4 - HKLM\..\RunOnce: [ieuk.exe] C:\WINDOWS\system32\ieuk.exe
O4 - HKLM\..\RunOnce: [d3xt32.exe] C:\WINDOWS\system32\d3xt32.exe
O4 - HKLM\..\RunOnce: [javasx.exe] C:\WINDOWS\javasx.exe
O4 - HKLM\..\RunOnce: [mfcrn32.exe] C:\WINDOWS\mfcrn32.exe
O4 - HKLM\..\RunOnce: [winqc32.exe] C:\WINDOWS\system32\winqc32.exe
O4 - HKLM\..\RunOnce: [addpk.exe] C:\WINDOWS\addpk.exe
O4 - HKLM\..\RunOnce: [winyk.exe] C:\WINDOWS\system32\winyk.exe
O4 - HKLM\..\RunOnce: [apioa32.exe] C:\WINDOWS\apioa32.exe
O4 - HKLM\..\RunOnce: [sdkep32.exe] C:\WINDOWS\sdkep32.exe
O4 - HKLM\..\RunOnce: [ipzt.exe] C:\WINDOWS\system32\ipzt.exe
O4 - HKLM\..\RunOnce: [addyi32.exe] C:\WINDOWS\system32\addyi32.exe
O4 - HKLM\..\RunOnce: [ntbs32.exe] C:\WINDOWS\ntbs32.exe
O4 - HKLM\..\RunOnce: [craz.exe] C:\WINDOWS\craz.exe
O4 - HKLM\..\RunOnce: [winwd32.exe] C:\WINDOWS\system32\winwd32.exe
O4 - HKLM\..\RunOnce: [msfe.exe] C:\WINDOWS\msfe.exe
O4 - HKLM\..\RunOnce: [ietb32.exe] C:\WINDOWS\system32\ietb32.exe
O4 - HKLM\..\RunOnce: [mszx32.exe] C:\WINDOWS\mszx32.exe
O4 - HKLM\..\RunOnce: [nteu32.exe] C:\WINDOWS\nteu32.exe
O4 - HKLM\..\RunOnce: [iehf32.exe] C:\WINDOWS\iehf32.exe
O4 - HKLM\..\RunOnce: [addmk.exe] C:\WINDOWS\system32\addmk.exe
O4 - HKLM\..\RunOnce: [winnk32.exe] C:\WINDOWS\winnk32.exe
O4 - HKLM\..\RunOnce: [sysbh32.exe] C:\WINDOWS\system32\sysbh32.exe
O4 - HKLM\..\RunOnce: [sdkgl.exe] C:\WINDOWS\system32\sdkgl.exe
O4 - HKLM\..\RunOnce: [addpj32.exe] C:\WINDOWS\system32\addpj32.exe
O4 - HKLM\..\RunOnce: [atluo32.exe] C:\WINDOWS\atluo32.exe
O4 - HKLM\..\RunOnce: [d3uw.exe] C:\WINDOWS\system32\d3uw.exe
O4 - HKLM\..\RunOnce: [sdkyi.exe] C:\WINDOWS\system32\sdkyi.exe
O4 - HKLM\..\RunOnce: [ienx32.exe] C:\WINDOWS\ienx32.exe
O4 - HKLM\..\RunOnce: [apple.exe] C:\WINDOWS\apple.exe
O4 - HKLM\..\RunOnce: [nethi32.exe] C:\WINDOWS\nethi32.exe
O4 - HKLM\..\RunOnce: [atlrj.exe] C:\WINDOWS\atlrj.exe
O4 - HKLM\..\RunOnce: [mfcff32.exe] C:\WINDOWS\mfcff32.exe
O4 - HKLM\..\RunOnce: [atltc32.exe] C:\WINDOWS\system32\atltc32.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\ieqz32.exe
O4 - HKLM\..\RunOnce: [mfctk32.exe] C:\WINDOWS\system32\mfctk32.exe
O4 - HKLM\..\RunOnce: [appdr32.exe] C:\WINDOWS\system32\appdr32.exe
O4 - HKLM\..\RunOnce: [ieby.exe] C:\WINDOWS\ieby.exe
O4 - HKLM\..\RunOnce: [ntao32.exe] C:\WINDOWS\ntao32.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [apiyl.exe] C:\WINDOWS\system32\apiyl.exe
O4 - HKLM\..\RunOnce: [mfczm.exe] C:\WINDOWS\system32\mfczm.exe
O4 - HKLM\..\RunOnce: [cris32.exe] C:\WINDOWS\system32\cris32.exe
O4 - HKLM\..\RunOnce: [ipgh.exe] C:\WINDOWS\ipgh.exe
O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\addfx32.exe
O4 - HKLM\..\RunOnce: [iedu.exe] C:\WINDOWS\system32\iedu.exe
O4 - HKLM\..\RunOnce: [msev.exe] C:\WINDOWS\msev.exe
O4 - HKLM\..\RunOnce: [appus32.exe] C:\WINDOWS\system32\appus32.exe
O4 - HKLM\..\RunOnce: [netsz32.exe] C:\WINDOWS\system32\netsz32.exe
O4 - HKLM\..\RunOnce: [mfcnd.exe] C:\WINDOWS\system32\mfcnd.exe
O4 - HKLM\..\RunOnce: [iemt32.exe] C:\WINDOWS\system32\iemt32.exe
O4 - HKLM\..\RunOnce: [javaki.exe] C:\WINDOWS\javaki.exe
O4 - HKLM\..\RunOnce: [sysos.exe] C:\WINDOWS\system32\sysos.exe
O4 - HKLM\..\RunOnce: [sdkux.exe] C:\WINDOWS\sdkux.exe
O4 - HKLM\..\RunOnce: [winoi.exe] C:\WINDOWS\winoi.exe
O4 - HKLM\..\RunOnce: [msep.exe] C:\WINDOWS\msep.exe
O4 - HKLM\..\RunOnce: [sdkoi32.exe] C:\WINDOWS\system32\sdkoi32.exe
O4 - HKLM\..\RunOnce: [javaib.exe] C:\WINDOWS\javaib.exe
O4 - HKLM\..\RunOnce: [iemf.exe] C:\WINDOWS\iemf.exe
O4 - HKLM\..\RunOnce: [appwy32.exe] C:\WINDOWS\appwy32.exe
O4 - HKLM\..\RunOnce: [mspp32.exe] C:\WINDOWS\system32\mspp32.exe
O4 - HKLM\..\RunOnce: [msvm32.exe] C:\WINDOWS\msvm32.exe
O4 - HKLM\..\RunOnce: [msdc.exe] C:\WINDOWS\msdc.exe
O4 - HKLM\..\RunOnce: [d3ec.exe] C:\WINDOWS\d3ec.exe
O4 - HKLM\..\RunOnce: [apptr32.exe] C:\WINDOWS\system32\apptr32.exe
O4 - HKLM\..\RunOnce: [apisz32.exe] C:\WINDOWS\apisz32.exe
O4 - HKLM\..\RunOnce: [atlnk.exe] C:\WINDOWS\atlnk.exe
O4 - HKLM\..\RunOnce: [iems32.exe] C:\WINDOWS\iems32.exe
O4 - HKLM\..\RunOnce: [javakh32.exe] C:\WINDOWS\system32\javakh32.exe
O4 - HKLM\..\RunOnce: [javakx.exe] C:\WINDOWS\system32\javakx.exe
O4 - HKLM\..\RunOnce: [addnh32.exe] C:\WINDOWS\addnh32.exe
O4 - HKLM\..\RunOnce: [appnp.exe] C:\WINDOWS\appnp.exe
O4 - HKLM\..\RunOnce: [winwp.exe] C:\WINDOWS\system32\winwp.exe
O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\netln32.exe
O4 - HKLM\..\RunOnce: [javacu32.exe] C:\WINDOWS\javacu32.exe
O4 - HKLM\..\RunOnce: [ntxy.exe] C:\WINDOWS\system32\ntxy.exe
O4 - HKLM\..\RunOnce: [appwn32.exe] C:\WINDOWS\appwn32.exe
O4 - HKLM\..\RunOnce: [ieud.exe] C:\WINDOWS\system32\ieud.exe
O4 - HKLM\..\RunOnce: [sdktt32.exe] C:\WINDOWS\system32\sdktt32.exe
O4 - HKLM\..\RunOnce: [apija32.exe] C:\WINDOWS\apija32.exe
O4 - HKLM\..\RunOnce: [apirq32.exe] C:\WINDOWS\apirq32.exe
O4 - HKLM\..\RunOnce: [javabj32.exe] C:\WINDOWS\system32\javabj32.exe
O4 - HKLM\..\RunOnce: [atlar.exe] C:\WINDOWS\atlar.exe
O4 - HKLM\..\RunOnce: [sysed.exe] C:\WINDOWS\system32\sysed.exe
O4 - HKLM\..\RunOnce: [winzm32.exe] C:\WINDOWS\system32\winzm32.exe
O4 - HKLM\..\RunOnce: [javaeq32.exe] C:\WINDOWS\system32\javaeq32.exe
O4 - HKLM\..\RunOnce: [winzc32.exe] C:\WINDOWS\winzc32.exe
O4 - HKLM\..\RunOnce: [atlmg.exe] C:\WINDOWS\atlmg.exe
O4 - HKLM\..\RunOnce: [appmg32.exe] C:\WINDOWS\appmg32.exe
O4 - HKLM\..\RunOnce: [addbd.exe] C:\WINDOWS\addbd.exe
O4 - HKLM\..\RunOnce: [appgs.exe] C:\WINDOWS\appgs.exe
O4 - HKLM\..\RunOnce: [cruw.exe] C:\WINDOWS\system32\cruw.exe
O4 - HKLM\..\RunOnce: [atloi.exe] C:\WINDOWS\atloi.exe
O4 - HKLM\..\RunOnce: [winep.exe] C:\WINDOWS\winep.exe
O4 - HKLM\..\RunOnce: [croi32.exe] C:\WINDOWS\system32\croi32.exe
O4 - HKLM\..\RunOnce: [msab.exe] C:\WINDOWS\system32\msab.exe
O4 - HKLM\..\RunOnce: [addef.exe] C:\WINDOWS\addef.exe
O4 - HKLM\..\RunOnce: [apioy32.exe] C:\WINDOWS\system32\apioy32.exe
O4 - HKLM\..\RunOnce: [ntmn.exe] C:\WINDOWS\system32\ntmn.exe
O4 - HKLM\..\RunOnce: [d3ij32.exe] C:\WINDOWS\d3ij32.exe
O4 - HKLM\..\RunOnce: [addvb32.exe] C:\WINDOWS\addvb32.exe
O4 - HKLM\..\RunOnce: [mslr.exe] C:\WINDOWS\system32\mslr.exe
O4 - HKLM\..\RunOnce: [ntky32.exe] C:\WINDOWS\system32\ntky32.exe
O4 - HKLM\..\RunOnce: [mfcio32.exe] C:\WINDOWS\mfcio32.exe
O4 - HKLM\..\RunOnce: [apiie32.exe] C:\WINDOWS\apiie32.exe
O4 - HKLM\..\RunOnce: [javarw32.exe] C:\WINDOWS\system32\javarw32.exe
O4 - HKLM\..\RunOnce: [appre.exe] C:\WINDOWS\system32\appre.exe
O4 - HKLM\..\RunOnce: [sysvi.exe] C:\WINDOWS\system32\sysvi.exe
O4 - HKLM\..\RunOnce: [mfclg32.exe] C:\WINDOWS\mfclg32.exe
O4 - HKLM\..\RunOnce: [ntbn32.exe] C:\WINDOWS\ntbn32.exe
O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\system32\neter.exe
O4 - HKLM\..\RunOnce: [windg32.exe] C:\WINDOWS\windg32.exe
O4 - HKLM\..\RunOnce: [ipyq32.exe] C:\WINDOWS\ipyq32.exe
O4 - HKLM\..\RunOnce: [javaxy.exe] C:\WINDOWS\javaxy.exe
O4 - HKLM\..\RunOnce: [systc32.exe] C:\WINDOWS\systc32.exe
O4 - HKLM\..\RunOnce: [d3cc.exe] C:\WINDOWS\d3cc.exe
O4 - HKLM\..\RunOnce: [msqz32.exe] C:\WINDOWS\msqz32.exe
O4 - HKLM\..\RunOnce: [d3ww32.exe] C:\WINDOWS\d3ww32.exe
O4 - HKLM\..\RunOnce: [netbs32.exe] C:\WINDOWS\netbs32.exe
O4 - HKLM\..\RunOnce: [msee32.exe] C:\WINDOWS\system32\msee32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winyn32.exe" /s (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

Advertisements

#2
Trevuren
Posted 10 July 2005 - 11:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi coe and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"


3. Please send me a fresh HJT log then do not turn off your computer, or reboot it and try not to use the internet until I send you my response. The reason for this is that this little critter had a tendancy to morph every time one of those events occurs. See all the BHO's and RunOnce entries in your HJT log?

Regards,

Trevuren
  • 0

#3
coe
Posted 11 July 2005 - 12:29 PM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you for your reply, here is the fresh log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:53 AM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\apiik32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {045AE71F-801F-4A71-C593-6529CE594056} - C:\WINDOWS\nttk32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {07DA44E0-3BFC-A455-CD97-F7B7B8790347} - C:\WINDOWS\mfcdx.dll
O2 - BHO: Class - {150DD6A2-741C-3AC1-86EF-B9F0211447BA} - C:\WINDOWS\mscx32.dll
O2 - BHO: Class - {176407B4-E211-4E16-BFFA-63C50AA24B06} - C:\WINDOWS\iegq32.dll
O2 - BHO: Class - {19F352CA-1BB9-DD56-81EF-9595DD355FD0} - C:\WINDOWS\system32\crcu.dll
O2 - BHO: Class - {1E5865E5-FF6F-A5FA-646C-038A3C2F5165} - C:\WINDOWS\system32\winkh32.dll
O2 - BHO: Class - {2CB91DCB-A5E9-DD47-0B46-E2380FC72EF2} - C:\WINDOWS\mfcpi32.dll
O2 - BHO: Class - {2FC735CE-855B-F1B2-A6ED-CAEA0E1EA230} - C:\WINDOWS\nthz.dll
O2 - BHO: Class - {30463195-A68F-5D9B-95C6-6E9E1788E6F2} - C:\WINDOWS\system32\iesb.dll
O2 - BHO: Class - {3EAF3A17-CC8D-5DC9-285D-C38B83233D28} - C:\WINDOWS\ieqs32.dll
O2 - BHO: Class - {40959590-5A08-A012-E5CC-72E14627D513} - C:\WINDOWS\mfcrs32.dll
O2 - BHO: Class - {5A23A6D7-97E3-2631-C5AA-E8733BB4E5DB} - C:\WINDOWS\crev32.dll
O2 - BHO: Class - {62883FE9-57A7-4A38-F908-7FA3F3C59429} - C:\WINDOWS\system32\javanz.dll
O2 - BHO: Class - {6518F4B3-A15F-E14C-71F3-61A49FC2A684} - C:\WINDOWS\system32\mfcnz.dll
O2 - BHO: Class - {66A15FEE-5E94-86FB-0CE6-EC4939529CDA} - C:\WINDOWS\mswj.dll
O2 - BHO: Class - {72763199-C2D7-3547-5C10-D62AF7ADE07C} - C:\WINDOWS\system32\apifm32.dll
O2 - BHO: Class - {7339C21E-5D1D-F6EF-29FC-8E7E97E8C4F9} - C:\WINDOWS\sdkxv32.dll
O2 - BHO: Class - {7C5F07FA-EE61-E2CA-7AC9-845516B1F196} - C:\WINDOWS\netjx.dll
O2 - BHO: Class - {8002B6F0-0D81-F712-A8F6-D0072EF4DAA2} - C:\WINDOWS\apivd32.dll
O2 - BHO: Class - {88260434-8547-32F0-C3AF-72B7C69C143F} - C:\WINDOWS\system32\syswm.dll
O2 - BHO: Class - {88CA47DE-D491-40E1-D009-5594D634627D} - C:\WINDOWS\sysix.dll
O2 - BHO: Class - {9414B585-09CB-B343-09D8-5DC5D2B786EF} - C:\WINDOWS\system32\atlao.dll
O2 - BHO: Class - {94FA607F-D21C-7B55-1D1B-1A9DE22BEE8D} - C:\WINDOWS\system32\appuu32.dll
O2 - BHO: Class - {9AB0AEAF-5C00-97B4-67EB-26FA674D4DA9} - C:\WINDOWS\system32\netlz.dll
O2 - BHO: Class - {A8955C5E-7D09-18F5-1D0E-99FB9B61BC16} - C:\WINDOWS\system32\addqb32.dll
O2 - BHO: Class - {A8F51229-8EF3-4D90-8BE3-E843327D6F95} - C:\WINDOWS\iere.dll
O2 - BHO: Class - {A96C5AC5-3757-499C-81C5-9CE344BBEFEC} - C:\WINDOWS\ipbd32.dll
O2 - BHO: Class - {A989B009-49B7-5A55-1A34-1D32EE1EA30B} - C:\WINDOWS\ntfq.dll
O2 - BHO: Class - {ABA388C5-AC45-44CB-9816-6536A674986F} - C:\WINDOWS\system32\sdkvu32.dll
O2 - BHO: Class - {AF3FF52D-6CB5-60E4-3DF7-76172788BE5E} - C:\WINDOWS\atlyf.dll
O2 - BHO: Class - {B012290B-F6CB-AE54-0C3F-C8D408BBF992} - C:\WINDOWS\system32\ieeh32.dll
O2 - BHO: Class - {B11BCDC9-1DD6-8BB6-933F-3824A67B8492} - C:\WINDOWS\appks32.dll
O2 - BHO: Class - {B849DA45-86A4-E0DA-DD53-02A7363DFCC4} - C:\WINDOWS\winmq32.dll
O2 - BHO: Class - {C10E70B6-0A9C-EFB9-C902-4055C2D7F322} - C:\WINDOWS\addst.dll
O2 - BHO: Class - {C211B80E-58BE-0087-621D-A487AE79FA25} - C:\WINDOWS\atlwd.dll
O2 - BHO: Class - {C2FA80DA-98A5-92AA-61BD-3EDED8569F27} - C:\WINDOWS\sysyw.dll
O2 - BHO: Class - {C8E09CC6-5143-0AEA-9C0D-D61F50C10ABA} - C:\WINDOWS\javalq.dll
O2 - BHO: Class - {CBE5F226-BD90-1454-83F4-2686C681720C} - C:\WINDOWS\system32\sdkgh.dll
O2 - BHO: Class - {CDF9636C-D75A-2630-DA17-CE41F76F5491} - C:\WINDOWS\sysud.dll
O2 - BHO: Class - {D8F86D1C-DCB4-B7F0-F514-1EC3928A742B} - C:\WINDOWS\addal.dll
O2 - BHO: Class - {E4406573-EB81-A46C-2815-B4F90C430E29} - C:\WINDOWS\system32\apprg.dll
O2 - BHO: Class - {EE5E8D85-5C41-AEAB-016D-094F74F518E8} - C:\WINDOWS\system32\ntrb.dll
O2 - BHO: Class - {F0E095A0-3EA9-8479-E393-7CB483F3BC0D} - C:\WINDOWS\system32\apiho.dll
O2 - BHO: Class - {F24066EC-902B-5FD0-38BE-FCBA8F762791} - C:\WINDOWS\winpy32.dll
O2 - BHO: Class - {F54252AB-AF1A-DA2D-3827-1F172DB2A621} - C:\WINDOWS\system32\crgf32.dll
O2 - BHO: Class - {F5E4007D-5064-4A70-D8DC-AF529CC13F3F} - C:\WINDOWS\system32\winos32.dll
O2 - BHO: Class - {F61C43C0-8F6A-C654-1213-B906276F3ADF} - C:\WINDOWS\msli32.dll
O2 - BHO: Class - {F9B1B847-EF94-1E89-A740-CBCBD8346C87} - C:\WINDOWS\system32\msaw32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [apiik32.exe] C:\WINDOWS\system32\apiik32.exe
O4 - HKLM\..\RunOnce: [iedj.exe] C:\WINDOWS\iedj.exe
O4 - HKLM\..\RunOnce: [d3mj32.exe] C:\WINDOWS\system32\d3mj32.exe
O4 - HKLM\..\RunOnce: [netgb.exe] C:\WINDOWS\netgb.exe
O4 - HKLM\..\RunOnce: [ieam.exe] C:\WINDOWS\system32\ieam.exe
O4 - HKLM\..\RunOnce: [crqb.exe] C:\WINDOWS\system32\crqb.exe
O4 - HKLM\..\RunOnce: [netau32.exe] C:\WINDOWS\netau32.exe
O4 - HKLM\..\RunOnce: [nttf32.exe] C:\WINDOWS\system32\nttf32.exe
O4 - HKLM\..\RunOnce: [appyb32.exe] C:\WINDOWS\system32\appyb32.exe
O4 - HKLM\..\RunOnce: [sdktn.exe] C:\WINDOWS\sdktn.exe
O4 - HKLM\..\RunOnce: [apixz.exe] C:\WINDOWS\apixz.exe
O4 - HKLM\..\RunOnce: [crmo32.exe] C:\WINDOWS\system32\crmo32.exe
O4 - HKLM\..\RunOnce: [iedw.exe] C:\WINDOWS\system32\iedw.exe
O4 - HKLM\..\RunOnce: [atlha32.exe] C:\WINDOWS\system32\atlha32.exe
O4 - HKLM\..\RunOnce: [winqa.exe] C:\WINDOWS\system32\winqa.exe
O4 - HKLM\..\RunOnce: [addwx32.exe] C:\WINDOWS\system32\addwx32.exe
O4 - HKLM\..\RunOnce: [ntfd.exe] C:\WINDOWS\system32\ntfd.exe
O4 - HKLM\..\RunOnce: [ievs32.exe] C:\WINDOWS\ievs32.exe
O4 - HKLM\..\RunOnce: [addti.exe] C:\WINDOWS\addti.exe
O4 - HKLM\..\RunOnce: [apipe32.exe] C:\WINDOWS\system32\apipe32.exe
O4 - HKLM\..\RunOnce: [atlym.exe] C:\WINDOWS\atlym.exe
O4 - HKLM\..\RunOnce: [atlmb32.exe] C:\WINDOWS\system32\atlmb32.exe
O4 - HKLM\..\RunOnce: [atlsy32.exe] C:\WINDOWS\atlsy32.exe
O4 - HKLM\..\RunOnce: [msxc32.exe] C:\WINDOWS\msxc32.exe
O4 - HKLM\..\RunOnce: [mfcao.exe] C:\WINDOWS\mfcao.exe
O4 - HKLM\..\RunOnce: [wines32.exe] C:\WINDOWS\system32\wines32.exe
O4 - HKLM\..\RunOnce: [d3uh.exe] C:\WINDOWS\d3uh.exe
O4 - HKLM\..\RunOnce: [iptx32.exe] C:\WINDOWS\iptx32.exe
O4 - HKLM\..\RunOnce: [msxg32.exe] C:\WINDOWS\system32\msxg32.exe
O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
O4 - HKLM\..\RunOnce: [apirs.exe] C:\WINDOWS\apirs.exe
O4 - HKLM\..\RunOnce: [sdkct32.exe] C:\WINDOWS\system32\sdkct32.exe
O4 - HKLM\..\RunOnce: [d3aa.exe] C:\WINDOWS\d3aa.exe
O4 - HKLM\..\RunOnce: [winwe32.exe] C:\WINDOWS\winwe32.exe
O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\ieff.exe
O4 - HKLM\..\RunOnce: [apion.exe] C:\WINDOWS\system32\apion.exe
O4 - HKLM\..\RunOnce: [d3iy32.exe] C:\WINDOWS\d3iy32.exe
O4 - HKLM\..\RunOnce: [winzg32.exe] C:\WINDOWS\winzg32.exe
O4 - HKLM\..\RunOnce: [ieuk.exe] C:\WINDOWS\system32\ieuk.exe
O4 - HKLM\..\RunOnce: [d3xt32.exe] C:\WINDOWS\system32\d3xt32.exe
O4 - HKLM\..\RunOnce: [javasx.exe] C:\WINDOWS\javasx.exe
O4 - HKLM\..\RunOnce: [mfcrn32.exe] C:\WINDOWS\mfcrn32.exe
O4 - HKLM\..\RunOnce: [winqc32.exe] C:\WINDOWS\system32\winqc32.exe
O4 - HKLM\..\RunOnce: [addpk.exe] C:\WINDOWS\addpk.exe
O4 - HKLM\..\RunOnce: [winyk.exe] C:\WINDOWS\system32\winyk.exe
O4 - HKLM\..\RunOnce: [apioa32.exe] C:\WINDOWS\apioa32.exe
O4 - HKLM\..\RunOnce: [sdkep32.exe] C:\WINDOWS\sdkep32.exe
O4 - HKLM\..\RunOnce: [ipzt.exe] C:\WINDOWS\system32\ipzt.exe
O4 - HKLM\..\RunOnce: [addyi32.exe] C:\WINDOWS\system32\addyi32.exe
O4 - HKLM\..\RunOnce: [ntbs32.exe] C:\WINDOWS\ntbs32.exe
O4 - HKLM\..\RunOnce: [craz.exe] C:\WINDOWS\craz.exe
O4 - HKLM\..\RunOnce: [winwd32.exe] C:\WINDOWS\system32\winwd32.exe
O4 - HKLM\..\RunOnce: [msfe.exe] C:\WINDOWS\msfe.exe
O4 - HKLM\..\RunOnce: [ietb32.exe] C:\WINDOWS\system32\ietb32.exe
O4 - HKLM\..\RunOnce: [mszx32.exe] C:\WINDOWS\mszx32.exe
O4 - HKLM\..\RunOnce: [nteu32.exe] C:\WINDOWS\nteu32.exe
O4 - HKLM\..\RunOnce: [iehf32.exe] C:\WINDOWS\iehf32.exe
O4 - HKLM\..\RunOnce: [addmk.exe] C:\WINDOWS\system32\addmk.exe
O4 - HKLM\..\RunOnce: [winnk32.exe] C:\WINDOWS\winnk32.exe
O4 - HKLM\..\RunOnce: [sysbh32.exe] C:\WINDOWS\system32\sysbh32.exe
O4 - HKLM\..\RunOnce: [sdkgl.exe] C:\WINDOWS\system32\sdkgl.exe
O4 - HKLM\..\RunOnce: [addpj32.exe] C:\WINDOWS\system32\addpj32.exe
O4 - HKLM\..\RunOnce: [atluo32.exe] C:\WINDOWS\atluo32.exe
O4 - HKLM\..\RunOnce: [d3uw.exe] C:\WINDOWS\system32\d3uw.exe
O4 - HKLM\..\RunOnce: [sdkyi.exe] C:\WINDOWS\system32\sdkyi.exe
O4 - HKLM\..\RunOnce: [ienx32.exe] C:\WINDOWS\ienx32.exe
O4 - HKLM\..\RunOnce: [apple.exe] C:\WINDOWS\apple.exe
O4 - HKLM\..\RunOnce: [nethi32.exe] C:\WINDOWS\nethi32.exe
O4 - HKLM\..\RunOnce: [atlrj.exe] C:\WINDOWS\atlrj.exe
O4 - HKLM\..\RunOnce: [mfcff32.exe] C:\WINDOWS\mfcff32.exe
O4 - HKLM\..\RunOnce: [atltc32.exe] C:\WINDOWS\system32\atltc32.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\ieqz32.exe
O4 - HKLM\..\RunOnce: [mfctk32.exe] C:\WINDOWS\system32\mfctk32.exe
O4 - HKLM\..\RunOnce: [appdr32.exe] C:\WINDOWS\system32\appdr32.exe
O4 - HKLM\..\RunOnce: [ieby.exe] C:\WINDOWS\ieby.exe
O4 - HKLM\..\RunOnce: [ntao32.exe] C:\WINDOWS\ntao32.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [apiyl.exe] C:\WINDOWS\system32\apiyl.exe
O4 - HKLM\..\RunOnce: [mfczm.exe] C:\WINDOWS\system32\mfczm.exe
O4 - HKLM\..\RunOnce: [cris32.exe] C:\WINDOWS\system32\cris32.exe
O4 - HKLM\..\RunOnce: [ipgh.exe] C:\WINDOWS\ipgh.exe
O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\addfx32.exe
O4 - HKLM\..\RunOnce: [iedu.exe] C:\WINDOWS\system32\iedu.exe
O4 - HKLM\..\RunOnce: [msev.exe] C:\WINDOWS\msev.exe
O4 - HKLM\..\RunOnce: [appus32.exe] C:\WINDOWS\system32\appus32.exe
O4 - HKLM\..\RunOnce: [netsz32.exe] C:\WINDOWS\system32\netsz32.exe
O4 - HKLM\..\RunOnce: [mfcnd.exe] C:\WINDOWS\system32\mfcnd.exe
O4 - HKLM\..\RunOnce: [iemt32.exe] C:\WINDOWS\system32\iemt32.exe
O4 - HKLM\..\RunOnce: [javaki.exe] C:\WINDOWS\javaki.exe
O4 - HKLM\..\RunOnce: [sysos.exe] C:\WINDOWS\system32\sysos.exe
O4 - HKLM\..\RunOnce: [sdkux.exe] C:\WINDOWS\sdkux.exe
O4 - HKLM\..\RunOnce: [winoi.exe] C:\WINDOWS\winoi.exe
O4 - HKLM\..\RunOnce: [msep.exe] C:\WINDOWS\msep.exe
O4 - HKLM\..\RunOnce: [sdkoi32.exe] C:\WINDOWS\system32\sdkoi32.exe
O4 - HKLM\..\RunOnce: [javaib.exe] C:\WINDOWS\javaib.exe
O4 - HKLM\..\RunOnce: [iemf.exe] C:\WINDOWS\iemf.exe
O4 - HKLM\..\RunOnce: [appwy32.exe] C:\WINDOWS\appwy32.exe
O4 - HKLM\..\RunOnce: [mspp32.exe] C:\WINDOWS\system32\mspp32.exe
O4 - HKLM\..\RunOnce: [msvm32.exe] C:\WINDOWS\msvm32.exe
O4 - HKLM\..\RunOnce: [msdc.exe] C:\WINDOWS\msdc.exe
O4 - HKLM\..\RunOnce: [d3ec.exe] C:\WINDOWS\d3ec.exe
O4 - HKLM\..\RunOnce: [apptr32.exe] C:\WINDOWS\system32\apptr32.exe
O4 - HKLM\..\RunOnce: [apisz32.exe] C:\WINDOWS\apisz32.exe
O4 - HKLM\..\RunOnce: [atlnk.exe] C:\WINDOWS\atlnk.exe
O4 - HKLM\..\RunOnce: [iems32.exe] C:\WINDOWS\iems32.exe
O4 - HKLM\..\RunOnce: [javakh32.exe] C:\WINDOWS\system32\javakh32.exe
O4 - HKLM\..\RunOnce: [javakx.exe] C:\WINDOWS\system32\javakx.exe
O4 - HKLM\..\RunOnce: [addnh32.exe] C:\WINDOWS\addnh32.exe
O4 - HKLM\..\RunOnce: [appnp.exe] C:\WINDOWS\appnp.exe
O4 - HKLM\..\RunOnce: [winwp.exe] C:\WINDOWS\system32\winwp.exe
O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\netln32.exe
O4 - HKLM\..\RunOnce: [javacu32.exe] C:\WINDOWS\javacu32.exe
O4 - HKLM\..\RunOnce: [ntxy.exe] C:\WINDOWS\system32\ntxy.exe
O4 - HKLM\..\RunOnce: [appwn32.exe] C:\WINDOWS\appwn32.exe
O4 - HKLM\..\RunOnce: [ieud.exe] C:\WINDOWS\system32\ieud.exe
O4 - HKLM\..\RunOnce: [sdktt32.exe] C:\WINDOWS\system32\sdktt32.exe
O4 - HKLM\..\RunOnce: [apija32.exe] C:\WINDOWS\apija32.exe
O4 - HKLM\..\RunOnce: [apirq32.exe] C:\WINDOWS\apirq32.exe
O4 - HKLM\..\RunOnce: [javabj32.exe] C:\WINDOWS\system32\javabj32.exe
O4 - HKLM\..\RunOnce: [atlar.exe] C:\WINDOWS\atlar.exe
O4 - HKLM\..\RunOnce: [sysed.exe] C:\WINDOWS\system32\sysed.exe
O4 - HKLM\..\RunOnce: [winzm32.exe] C:\WINDOWS\system32\winzm32.exe
O4 - HKLM\..\RunOnce: [javaeq32.exe] C:\WINDOWS\system32\javaeq32.exe
O4 - HKLM\..\RunOnce: [winzc32.exe] C:\WINDOWS\winzc32.exe
O4 - HKLM\..\RunOnce: [atlmg.exe] C:\WINDOWS\atlmg.exe
O4 - HKLM\..\RunOnce: [appmg32.exe] C:\WINDOWS\appmg32.exe
O4 - HKLM\..\RunOnce: [addbd.exe] C:\WINDOWS\addbd.exe
O4 - HKLM\..\RunOnce: [appgs.exe] C:\WINDOWS\appgs.exe
O4 - HKLM\..\RunOnce: [cruw.exe] C:\WINDOWS\system32\cruw.exe
O4 - HKLM\..\RunOnce: [atloi.exe] C:\WINDOWS\atloi.exe
O4 - HKLM\..\RunOnce: [winep.exe] C:\WINDOWS\winep.exe
O4 - HKLM\..\RunOnce: [croi32.exe] C:\WINDOWS\system32\croi32.exe
O4 - HKLM\..\RunOnce: [msab.exe] C:\WINDOWS\system32\msab.exe
O4 - HKLM\..\RunOnce: [addef.exe] C:\WINDOWS\addef.exe
O4 - HKLM\..\RunOnce: [apioy32.exe] C:\WINDOWS\system32\apioy32.exe
O4 - HKLM\..\RunOnce: [ntmn.exe] C:\WINDOWS\system32\ntmn.exe
O4 - HKLM\..\RunOnce: [d3ij32.exe] C:\WINDOWS\d3ij32.exe
O4 - HKLM\..\RunOnce: [addvb32.exe] C:\WINDOWS\addvb32.exe
O4 - HKLM\..\RunOnce: [mslr.exe] C:\WINDOWS\system32\mslr.exe
O4 - HKLM\..\RunOnce: [ntky32.exe] C:\WINDOWS\system32\ntky32.exe
O4 - HKLM\..\RunOnce: [mfcio32.exe] C:\WINDOWS\mfcio32.exe
O4 - HKLM\..\RunOnce: [apiie32.exe] C:\WINDOWS\apiie32.exe
O4 - HKLM\..\RunOnce: [javarw32.exe] C:\WINDOWS\system32\javarw32.exe
O4 - HKLM\..\RunOnce: [appre.exe] C:\WINDOWS\system32\appre.exe
O4 - HKLM\..\RunOnce: [sysvi.exe] C:\WINDOWS\system32\sysvi.exe
O4 - HKLM\..\RunOnce: [mfclg32.exe] C:\WINDOWS\mfclg32.exe
O4 - HKLM\..\RunOnce: [ntbn32.exe] C:\WINDOWS\ntbn32.exe
O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\system32\neter.exe
O4 - HKLM\..\RunOnce: [windg32.exe] C:\WINDOWS\windg32.exe
O4 - HKLM\..\RunOnce: [ipyq32.exe] C:\WINDOWS\ipyq32.exe
O4 - HKLM\..\RunOnce: [javaxy.exe] C:\WINDOWS\javaxy.exe
O4 - HKLM\..\RunOnce: [systc32.exe] C:\WINDOWS\systc32.exe
O4 - HKLM\..\RunOnce: [d3cc.exe] C:\WINDOWS\d3cc.exe
O4 - HKLM\..\RunOnce: [msqz32.exe] C:\WINDOWS\msqz32.exe
O4 - HKLM\..\RunOnce: [d3ww32.exe] C:\WINDOWS\d3ww32.exe
O4 - HKLM\..\RunOnce: [netbs32.exe] C:\WINDOWS\netbs32.exe
O4 - HKLM\..\RunOnce: [msee32.exe] C:\WINDOWS\system32\msee32.exe
O4 - HKLM\..\RunOnce: [winji.exe] C:\WINDOWS\system32\winji.exe
O4 - HKLM\..\RunOnce: [iekq32.exe] C:\WINDOWS\system32\iekq32.exe
O4 - HKLM\..\RunOnce: [ieyf32.exe] C:\WINDOWS\system32\ieyf32.exe
O4 - HKLM\..\RunOnce: [ntdj.exe] C:\WINDOWS\system32\ntdj.exe
O4 - HKLM\..\RunOnce: [sysmp.exe] C:\WINDOWS\system32\sysmp.exe
O4 - HKLM\..\RunOnce: [d3qt32.exe] C:\WINDOWS\d3qt32.exe
O4 - HKLM\..\RunOnce: [javalf32.exe] C:\WINDOWS\system32\javalf32.exe
O4 - HKLM\..\RunOnce: [iejv.exe] C:\WINDOWS\iejv.exe
O4 - HKLM\..\RunOnce: [ippr32.exe] C:\WINDOWS\ippr32.exe
O4 - HKLM\..\RunOnce: [sdkik32.exe] C:\WINDOWS\sdkik32.exe
O4 - HKLM\..\RunOnce: [atlnh32.exe] C:\WINDOWS\system32\atlnh32.exe
O4 - HKLM\..\RunOnce: [javais.exe] C:\WINDOWS\javais.exe
O4 - HKLM\..\RunOnce: [netme32.exe] C:\WINDOWS\system32\netme32.exe
O4 - HKLM\..\RunOnce: [appku.exe] C:\WINDOWS\appku.exe
O4 - HKLM\..\RunOnce: [msjc32.exe] C:\WINDOWS\msjc32.exe
O4 - HKLM\..\RunOnce: [sdkzr32.exe] C:\WINDOWS\system32\sdkzr32.exe
O4 - HKLM\..\RunOnce: [ipdb.exe] C:\WINDOWS\ipdb.exe
O4 - HKLM\..\RunOnce: [ntjf.exe] C:\WINDOWS\ntjf.exe
O4 - HKLM\..\RunOnce: [sdkwc32.exe] C:\WINDOWS\sdkwc32.exe
O4 - HKLM\..\RunOnce: [sdklr32.exe] C:\WINDOWS\system32\sdklr32.exe
O4 - HKLM\..\RunOnce: [atlqv32.exe] C:\WINDOWS\atlqv32.exe
O4 - HKLM\..\RunOnce: [sdklh32.exe] C:\WINDOWS\system32\sdklh32.exe
O4 - HKLM\..\RunOnce: [d3pl.exe] C:\WINDOWS\system32\d3pl.exe
O4 - HKLM\..\RunOnce: [cryl32.exe] C:\WINDOWS\system32\cryl32.exe
O4 - HKLM\..\RunOnce: [javafi.exe] C:\WINDOWS\system32\javafi.exe
O4 - HKLM\..\RunOnce: [msmo.exe] C:\WINDOWS\system32\msmo.exe
O4 - HKLM\..\RunOnce: [javacd.exe] C:\WINDOWS\javacd.exe
O4 - HKLM\..\RunOnce: [apimw32.exe] C:\WINDOWS\apimw32.exe
O4 - HKLM\..\RunOnce: [netxh32.exe] C:\WINDOWS\system32\netxh32.exe
O4 - HKLM\..\RunOnce: [addcl32.exe] C:\WINDOWS\system32\addcl32.exe
O4 - HKLM\..\RunOnce: [ipfx.exe] C:\WINDOWS\system32\ipfx.exe
O4 - HKLM\..\RunOnce: [mfcjb.exe] C:\WINDOWS\mfcjb.exe
O4 - HKLM\..\RunOnce: [javazy32.exe] C:\WINDOWS\system32\javazy32.exe
O4 - HKLM\..\RunOnce: [mspf.exe] C:\WINDOWS\system32\mspf.exe
O4 - HKLM\..\RunOnce: [sdknt.exe] C:\WINDOWS\sdknt.exe
O4 - HKLM\..\RunOnce: [msjp.exe] C:\WINDOWS\system32\msjp.exe
O4 - HKLM\..\RunOnce: [addcq32.exe] C:\WINDOWS\addcq32.exe
O4 - HKLM\..\RunOnce: [mfcsx.exe] C:\WINDOWS\system32\mfcsx.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\system32\sdkwb32.exe
O4 - HKLM\..\RunOnce: [netgc.exe] C:\WINDOWS\system32\netgc.exe
O4 - HKLM\..\RunOnce: [iply32.exe] C:\WINDOWS\system32\iply32.exe
O4 - HKLM\..\RunOnce: [netav32.exe] C:\WINDOWS\netav32.exe
O4 - HKLM\..\RunOnce: [crkt.exe] C:\WINDOWS\system32\crkt.exe
O4 - HKLM\..\RunOnce: [syscm.exe] C:\WINDOWS\system32\syscm.exe
O4 - HKLM\..\RunOnce: [ntuu32.exe] C:\WINDOWS\system32\ntuu32.exe
O4 - HKLM\..\RunOnce: [sysij.exe] C:\WINDOWS\system32\sysij.exe
O4 - HKLM\..\RunOnce: [apphr.exe] C:\WINDOWS\apphr.exe
O4 - HKLM\..\RunOnce: [apisr.exe] C:\WINDOWS\system32\apisr.exe
O4 - HKLM\..\RunOnce: [sysrz32.exe] C:\WINDOWS\system32\sysrz32.exe
O4 - HKLM\..\RunOnce: [netxo32.exe] C:\WINDOWS\netxo32.exe
O4 - HKLM\..\RunOnce: [iefo.exe] C:\WINDOWS\system32\iefo.exe
O4 - HKLM\..\RunOnce: [crba.exe] C:\WINDOWS\crba.exe
O4 - HKLM\..\RunOnce: [crer32.exe] C:\WINDOWS\system32\crer32.exe
O4 - HKLM\..\RunOnce: [netjo32.exe] C:\WINDOWS\netjo32.exe
O4 - HKLM\..\RunOnce: [d3ez32.exe] C:\WINDOWS\system32\d3ez32.exe
O4 - HKLM\..\RunOnce: [sysie.exe] C:\WINDOWS\system32\sysie.exe
O4 - HKLM\..\RunOnce: [iere32.exe] C:\WINDOWS\system32\iere32.exe
O4 - HKLM\..\RunOnce: [msgb.exe] C:\WINDOWS\system32\msgb.exe
O4 - HKLM\..\RunOnce: [ielx.exe] C:\WINDOWS\system32\ielx.exe
O4 - HKLM\..\RunOnce: [ipru.exe] C:\WINDOWS\ipru.exe
O4 - HKLM\..\RunOnce: [syslf.exe] C:\WINDOWS\system32\syslf.exe
O4 - HKLM\..\RunOnce: [d3bv.exe] C:\WINDOWS\system32\d3bv.exe
O4 - HKLM\..\RunOnce: [ipln32.exe] C:\WINDOWS\ipln32.exe
O4 - HKLM\..\RunOnce: [atlkb32.exe] C:\WINDOWS\system32\atlkb32.exe
O4 - HKLM\..\RunOnce: [mfcdm.exe] C:\WINDOWS\system32\mfcdm.exe
O4 - HKLM\..\RunOnce: [sdkzq.exe] C:\WINDOWS\sdkzq.exe
O4 - HKLM\..\RunOnce: [d3sr32.exe] C:\WINDOWS\system32\d3sr32.exe
O4 - HKLM\..\RunOnce: [winiy.exe] C:\WINDOWS\system32\winiy.exe
O4 - HKLM\..\RunOnce: [mfcmc.exe] C:\WINDOWS\mfcmc.exe
O4 - HKLM\..\RunOnce: [ntwv32.exe] C:\WINDOWS\system32\ntwv32.exe
O4 - HKLM\..\RunOnce: [cruk.exe] C:\WINDOWS\cruk.exe
O4 - HKLM\..\RunOnce: [sysqh32.exe] C:\WINDOWS\sysqh32.exe
O4 - HKLM\..\RunOnce: [msap.exe] C:\WINDOWS\msap.exe
O4 - HKLM\..\RunOnce: [msge32.exe] C:\WINDOWS\msge32.exe
O4 - HKLM\..\RunOnce: [msub32.exe] C:\WINDOWS\system32\msub32.exe
O4 - HKLM\..\RunOnce: [appez.exe] C:\WINDOWS\appez.exe
O4 - HKLM\..\RunOnce: [apixa.exe] C:\WINDOWS\system32\apixa.exe
O4 - HKLM\..\RunOnce: [syswa32.exe] C:\WINDOWS\syswa32.exe
O4 - HKLM\..\RunOnce: [netco.exe] C:\WINDOWS\netco.exe
O4 - HKLM\..\RunOnce: [ntbe.exe] C:\WINDOWS\system32\ntbe.exe
O4 - HKLM\..\RunOnce: [d3mx.exe] C:\WINDOWS\d3mx.exe
O4 - HKLM\..\RunOnce: [netlf32.exe] C:\WINDOWS\netlf32.exe
O4 - HKLM\..\RunOnce: [msau32.exe] C:\WINDOWS\system32\msau32.exe
O4 - HKLM\..\RunOnce: [ipeq32.exe] C:\WINDOWS\system32\ipeq32.exe
O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe
O4 - HKLM\..\RunOnce: [javado32.exe] C:\WINDOWS\javado32.exe
O4 - HKLM\..\RunOnce: [ipnm.exe] C:\WINDOWS\ipnm.exe
O4 - HKLM\..\RunOnce: [netwm.exe] C:\WINDOWS\netwm.exe
O4 - HKLM\..\RunOnce: [syscr32.exe] C:\WINDOWS\syscr32.exe
O4 - HKLM\..\RunOnce: [msfv.exe] C:\WINDOWS\msfv.exe
O4 - HKLM\..\RunOnce: [crae32.exe] C:\WINDOWS\system32\crae32.exe
O4 - HKLM\..\RunOnce: [sdkwi.exe] C:\WINDOWS\system32\sdkwi.exe
O4 - HKLM\..\RunOnce: [mfcvy32.exe] C:\WINDOWS\system32\mfcvy32.exe
O4 - HKLM\..\RunOnce: [winyn32.exe] C:\WINDOWS\winyn32.exe
O4 - HKLM\..\RunOnce: [mfcmq.exe] C:\WINDOWS\system32\mfcmq.exe
O4 - HKLM\..\RunOnce: [appcl.exe] C:\WINDOWS\system32\appcl.exe
O4 - HKLM\..\RunOnce: [netgp32.exe] C:\WINDOWS\netgp32.exe
O4 - HKLM\..\RunOnce: [adddv32.exe] C:\WINDOWS\system32\adddv32.exe
O4 - HKLM\..\RunOnce: [netce.exe] C:\WINDOWS\system32\netce.exe
O4 - HKLM\..\RunOnce: [syskc32.exe] C:\WINDOWS\syskc32.exe
O4 - HKLM\..\RunOnce: [sdkqe.exe] C:\WINDOWS\sdkqe.exe
O4 - HKLM\..\RunOnce: [netft.exe] C:\WINDOWS\netft.exe
O4 - HKLM\..\RunOnce: [addko32.exe] C:\WINDOWS\system32\addko32.exe
O4 - HKLM\..\RunOnce: [addnf.exe] C:\WINDOWS\addnf.exe
O4 - HKLM\..\RunOnce: [msyw.exe] C:\WINDOWS\system32\msyw.exe
O4 - HKLM\..\RunOnce: [sysxd.exe] C:\WINDOWS\sysxd.exe
O4 - HKLM\..\RunOnce: [mfcqa.exe] C:\WINDOWS\system32\mfcqa.exe
O4 - HKLM\..\RunOnce: [sdklo.exe] C:\WINDOWS\system32\sdklo.exe
O4 - HKLM\..\RunOnce: [ieid32.exe] C:\WINDOWS\ieid32.exe
O4 - HKLM\..\RunOnce: [appzs32.exe] C:\WINDOWS\appzs32.exe
O4 - HKLM\..\RunOnce: [javatm32.exe] C:\WINDOWS\javatm32.exe
O4 - HKLM\..\RunOnce: [mfcmd.exe] C:\WINDOWS\mfcmd.exe
O4 - HKLM\..\RunOnce: [sdkqh.exe] C:\WINDOWS\sdkqh.exe
O4 - HKLM\..\RunOnce: [d3bi32.exe] C:\WINDOWS\d3bi32.exe
O4 - HKLM\..\RunOnce: [winzp.exe] C:\WINDOWS\winzp.exe
O4 - HKLM\..\RunOnce: [mfcvt32.exe] C:\WINDOWS\system32\mfcvt32.exe
O4 - HKLM\..\RunOnce: [addfu.exe] C:\WINDOWS\addfu.exe
O4 - HKLM\..\RunOnce: [ielh.exe] C:\WINDOWS\ielh.exe
O4 - HKLM\..\RunOnce: [sdkqj32.exe] C:\WINDOWS\system32\sdkqj32.exe
O4 - HKLM\..\RunOnce: [appnw.exe] C:\WINDOWS\appnw.exe
O4 - HKLM\..\RunOnce: [ipgt.exe] C:\WINDOWS\system32\ipgt.exe
O4 - HKLM\..\RunOnce: [ipam32.exe] C:\WINDOWS\system32\ipam32.exe
O4 - HKLM\..\RunOnce: [appfg.exe] C:\WINDOWS\system32\appfg.exe
O4 - HKLM\..\RunOnce: [apied.exe] C:\WINDOWS\apied.exe
O4 - HKLM\..\RunOnce: [sysjf32.exe] C:\WINDOWS\sysjf32.exe
O4 - HKLM\..\RunOnce: [winjn32.exe] C:\WINDOWS\winjn32.exe
O4 - HKLM\..\RunOnce: [sysgi.exe] C:\WINDOWS\system32\sysgi.exe
O4 - HKLM\..\RunOnce: [iehi32.exe] C:\WINDOWS\iehi32.exe
O4 - HKLM\..\RunOnce: [sdkmk.exe] C:\WINDOWS\sdkmk.exe
O4 - HKLM\..\RunOnce: [syseo32.exe] C:\WINDOWS\system32\syseo32.exe
O4 - HKLM\..\RunOnce: [javasw.exe] C:\WINDOWS\system32\javasw.exe
O4 - HKLM\..\RunOnce: [apifr32.exe] C:\WINDOWS\apifr32.exe
O4 - HKLM\..\RunOnce: [winzw.exe] C:\WINDOWS\system32\winzw.exe
O4 - HKLM\..\RunOnce: [ieiw32.exe] C:\WINDOWS\ieiw32.exe
O4 - HKLM\..\RunOnce: [ntcv.exe] C:\WINDOWS\system32\ntcv.exe
O4 - HKLM\..\RunOnce: [winwg.exe] C:\WINDOWS\winwg.exe
O4 - HKLM\..\RunOnce: [msmn32.exe] C:\WINDOWS\msmn32.exe
O4 - HKLM\..\RunOnce: [atlbd32.exe] C:\WINDOWS\system32\atlbd32.exe
O4 - HKLM\..\RunOnce: [winll.exe] C:\WINDOWS\system32\winll.exe
O4 - HKLM\..\RunOnce: [addqa32.exe] C:\WINDOWS\system32\addqa32.exe
O4 - HKLM\..\RunOnce: [winfx32.exe] C:\WINDOWS\winfx32.exe
O4 - HKLM\..\RunOnce: [addnn32.exe] C:\WINDOWS\addnn32.exe
O4 - HKLM\..\RunOnce: [mfcrr.exe] C:\WINDOWS\system32\mfcrr.exe
O4 - HKLM\..\RunOnce: [atlsr32.exe] C:\WINDOWS\atlsr32.exe
O4 - HKLM\..\RunOnce: [mslk.exe] C:\WINDOWS\mslk.exe
O4 - HKLM\..\RunOnce: [sdkpo.exe] C:\WINDOWS\system32\sdkpo.exe
O4 - HKLM\..\RunOnce: [winyv32.exe] C:\WINDOWS\system32\winyv32.exe
O4 - HKLM\..\RunOnce: [d3pk.exe] C:\WINDOWS\d3pk.exe
O4 - HKLM\..\RunOnce: [ipoa32.exe] C:\WINDOWS\ipoa32.exe
O4 - HKLM\..\RunOnce: [atlmp32.exe] C:\WINDOWS\system32\atlmp32.exe
O4 - HKLM\..\RunOnce: [mfcmx.exe] C:\WINDOWS\system32\mfcmx.exe
O4 - HKLM\..\RunOnce: [appux.exe] C:\WINDOWS\system32\appux.exe
O4 - HKLM\..\RunOnce: [ntkv32.exe] C:\WINDOWS\ntkv32.exe
O4 - HKLM\..\RunOnce: [d3ac32.exe] C:\WINDOWS\system32\d3ac32.exe
O4 - HKLM\..\RunOnce: [mfccv32.exe] C:\WINDOWS\system32\mfccv32.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\mfcor32.exe
O4 - HKLM\..\RunOnce: [crgv32.exe] C:\WINDOWS\crgv32.exe
O4 - HKLM\..\RunOnce: [ipwd.exe] C:\WINDOWS\system32\ipwd.exe
O4 - HKLM\..\RunOnce: [d3au.exe] C:\WINDOWS\system32\d3au.exe
O4 - HKLM\..\RunOnce: [netor.exe] C:\WINDOWS\system32\netor.exe
O4 - HKLM\..\RunOnce: [msic.exe] C:\WINDOWS\system32\msic.exe
O4 - HKLM\..\RunOnce: [crxs.exe] C:\WINDOWS\system32\crxs.exe
O4 - HKLM\..\RunOnce: [netik32.exe] C:\WINDOWS\netik32.exe
O4 - HKLM\..\RunOnce: [appgy32.exe] C:\WINDOWS\system32\appgy32.exe
O4 - HKLM\..\RunOnce: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKLM\..\RunOnce: [ipwn.exe] C:\WINDOWS\ipwn.exe
O4 - HKLM\..\RunOnce: [crgo32.exe] C:\WINDOWS\crgo32.exe
O4 - HKLM\..\RunOnce: [iefv.exe] C:\WINDOWS\iefv.exe
O4 - HKLM\..\RunOnce: [atlaz32.exe] C:\WINDOWS\atlaz32.exe
O4 - HKLM\..\RunOnce: [winka.exe] C:\WINDOWS\winka.exe
O4 - HKLM\..\RunOnce: [ipti32.exe] C:\WINDOWS\ipti32.exe
O4 - HKLM\..\RunOnce: [ipid32.exe] C:\WINDOWS\system32\ipid32.exe
O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\javavf32.exe
O4 - HKLM\..\RunOnce: [atloy32.exe] C:\WINDOWS\atloy32.exe
O4 - HKLM\..\RunOnce: [mfcog32.exe] C:\WINDOWS\mfcog32.exe
O4 - HKLM\..\RunOnce: [sdkyh32.exe] C:\WINDOWS\sdkyh32.exe
O4 - HKLM\..\RunOnce: [appyp.exe] C:\WINDOWS\system32\appyp.exe
O4 - HKLM\..\RunOnce: [iect.exe] C:\WINDOWS\system32\iect.exe
O4 - HKLM\..\RunOnce: [mfcrq32.exe] C:\WINDOWS\mfcrq32.exe
O4 - HKLM\..\RunOnce: [iphx.exe] C:\WINDOWS\iphx.exe
O4 - HKLM\..\RunOnce: [d3lt32.exe] C:\WINDOWS\d3lt32.exe
O4 - HKLM\..\RunOnce: [addpl32.exe] C:\WINDOWS\system32\addpl32.exe
O4 - HKLM\..\RunOnce: [msob.exe] C:\WINDOWS\msob.exe
O4 - HKLM\..\RunOnce: [ipni32.exe] C:\WINDOWS\system32\ipni32.exe
O4 - HKLM\..\RunOnce: [atldy32.exe] C:\WINDOWS\atldy32.exe
O4 - HKLM\..\RunOnce: [mfclo.exe] C:\WINDOWS\mfclo.exe
O4 - HKLM\..\RunOnce: [msri32.exe] C:\WINDOWS\system32\msri32.exe
O4 - HKLM\..\RunOnce: [winvn.exe] C:\WINDOWS\system32\winvn.exe
O4 - HKLM\..\RunOnce: [sysen32.exe] C:\WINDOWS\sysen32.exe
O4 - HKLM\..\RunOnce: [ietk32.exe] C:\WINDOWS\system32\ietk32.exe
O4 - HKLM\..\RunOnce: [sdkyg32.exe] C:\WINDOWS\system32\sdkyg32.exe
O4 - HKLM\..\RunOnce: [systa32.exe] C:\WINDOWS\systa32.exe
O4 - HKLM\..\RunOnce: [ipqs32.exe] C:\WINDOWS\system32\ipqs32.exe
O4 - HKLM\..\RunOnce: [javavx.exe] C:\WINDOWS\javavx.exe
O4 - HKLM\..\RunOnce: [atljz.exe] C:\WINDOWS\system32\atljz.exe
O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\winnd.exe
O4 - HKLM\..\RunOnce: [apica32.exe] C:\WINDOWS\apica32.exe
O4 - HKLM\..\RunOnce: [sdksi.exe] C:\WINDOWS\sdksi.exe
O4 - HKLM\..\RunOnce: [mswm32.exe] C:\WINDOWS\system32\mswm32.exe
O4 - HKLM\..\RunOnce: [appbw32.exe] C:\WINDOWS\appbw32.exe
O4 - HKLM\..\RunOnce: [ierl32.exe] C:\WINDOWS\system32\ierl32.exe
O4 - HKLM\..\RunOnce: [javaev32.exe] C:\WINDOWS\javaev32.exe
O4 - HKLM\..\RunOnce: [netcd32.exe] C:\WINDOWS\system32\netcd32.exe
O4 - HKLM\..\RunOnce: [netct.exe] C:\WINDOWS\netct.exe
O4 - HKLM\..\RunOnce: [ntjd32.exe] C:\WINDOWS\system32\ntjd32.exe
O4 - HKLM\..\RunOnce: [atlof.exe] C:\WINDOWS\atlof.exe
O4 - HKLM\..\RunOnce: [ntzl.exe] C:\WINDOWS\system32\ntzl.exe
O4 - HKLM\..\RunOnce: [appeg32.exe] C:\WINDOWS\appeg32.exe
O4 - HKLM\..\RunOnce: [atljy.exe] C:\WINDOWS\atljy.exe
O4 - HKLM\..\RunOnce: [nttv.exe] C:\WINDOWS\system32\nttv.exe
O4 - HKLM\..\RunOnce: [addei.exe] C:\WINDOWS\addei.exe
O4 - HKLM\..\RunOnce: [netxe32.exe] C:\WINDOWS\system32\netxe32.exe
O4 - HKLM\..\RunOnce: [appws32.exe] C:\WINDOWS\appws32.exe
O4 - HKLM\..\RunOnce: [ntta32.exe] C:\WINDOWS\ntta32.exe
O4 - HKLM\..\RunOnce: [ntjr.exe] C:\WINDOWS\system32\ntjr.exe
O4 - HKLM\..\RunOnce: [mfcbm.exe] C:\WINDOWS\system32\mfcbm.exe
O4 - HKLM\..\RunOnce: [sysog.exe] C:\WINDOWS\system32\sysog.exe
O4 - HKLM\..\RunOnce: [ntfo.exe] C:\WINDOWS\system32\ntfo.exe
O4 - HKLM\..\RunOnce: [ipom.exe] C:\WINDOWS\ipom.exe
O4 - HKLM\..\RunOnce: [appuo.exe] C:\WINDOWS\system32\appuo.exe
O4 - HKLM\..\RunOnce: [d3te32.exe] C:\WINDOWS\d3te32.exe
O4 - HKLM\..\RunOnce: [ipgy.exe] C:\WINDOWS\system32\ipgy.exe
O4 - HKLM\..\RunOnce: [addbb.exe] C:\WINDOWS\system32\addbb.exe
O4 - HKLM\..\RunOnce: [javahv.exe] C:\WINDOWS\javahv.exe
O4 - HKLM\..\RunOnce: [mfcdf.exe] C:\WINDOWS\system32\mfcdf.exe
O4 - HKLM\..\RunOnce: [sysji32.exe] C:\WINDOWS\sysji32.exe
O4 - HKLM\..\RunOnce: [apimr32.exe] C:\WINDOWS\system32\apimr32.exe
O4 - HKLM\..\RunOnce: [sdkdz.exe] C:\WINDOWS\system32\sdkdz.exe
O4 - HKLM\..\RunOnce: [atlib32.exe] C:\WINDOWS\atlib32.exe
O4 - HKLM\..\RunOnce: [apibm.exe] C:\WINDOWS\apibm.exe
O4 - HKLM\..\RunOnce: [sysho32.exe] C:\WINDOWS\system32\sysho32.exe
O4 - HKLM\..\RunOnce: [addaz.exe] C:\WINDOWS\system32\addaz.exe
O4 - HKLM\..\RunOnce: [crfu32.exe] C:\WINDOWS\crfu32.exe
O4 - HKLM\..\RunOnce: [apitw32.exe] C:\WINDOWS\system32\apitw32.exe
O4 - HKLM\..\RunOnce: [d3dc.exe] C:\WINDOWS\system32\d3dc.exe
O4 - HKLM\..\RunOnce: [sdknb.exe] C:\WINDOWS\system32\sdknb.exe
O4 - HKLM\..\RunOnce: [mfcsd32.exe] C:\WINDOWS\system32\mfcsd32.exe
O4 - HKLM\..\RunOnce: [syszq.exe] C:\WINDOWS\system32\syszq.exe
O4 - HKLM\..\RunOnce: [sdkfl32.exe] C:\WINDOWS\system32\sdkfl32.exe
O4 - HKLM\..\RunOnce: [javafb32.exe] C:\WINDOWS\system32\javafb32.exe
O4 - HKLM\..\RunOnce: [apisv32.exe] C:\WINDOWS\system32\apisv32.exe
O4 - HKLM\..\RunOnce: [javabv32.exe] C:\WINDOWS\javabv32.exe
O4 - HKLM\..\RunOnce: [mfchp.exe] C:\WINDOWS\system32\mfchp.exe
O4 - HKLM\..\RunOnce: [javawn32.exe] C:\WINDOWS\javawn32.exe
O4 - HKLM\..\RunOnce: [msmu.exe] C:\WINDOWS\msmu.exe
O4 - HKLM\..\RunOnce: [addqy32.exe] C:\WINDOWS\addqy32.exe
O4 - HKLM\..\RunOnce: [sysaz.exe] C:\WINDOWS\sysaz.exe
O4 - HKLM\..\RunOnce: [netjh.exe] C:\WINDOWS\netjh.exe
O4 - HKLM\..\RunOnce: [ieds32.exe] C:\WINDOWS\ieds32.exe
O4 - HKLM\..\RunOnce: [addta32.exe] C:\WINDOWS\addta32.exe
O4 - HKLM\..\RunOnce: [sdksj.exe] C:\WINDOWS\sdksj.exe
O4 - HKLM\..\RunOnce: [atlyd.exe] C:\WINDOWS\atlyd.exe
O4 - HKLM\..\RunOnce: [d3zr.exe] C:\WINDOWS\d3zr.exe
O4 - HKLM\..\RunOnce: [netel.exe] C:\WINDOWS\netel.exe
O4 - HKLM\..\RunOnce: [sysmr.exe] C:\WINDOWS\system32\sysmr.exe
O4 - HKLM\..\RunOnce: [javast.exe] C:\WINDOWS\javast.exe
O4 - HKLM\..\RunOnce: [addnd32.exe] C:\WINDOWS\addnd32.exe
O4 - HKLM\..\RunOnce: [d3sx.exe] C:\WINDOWS\system32\d3sx.exe
O4 - HKLM\..\RunOnce: [apppu32.exe] C:\WINDOWS\apppu32.exe
O4 - HKLM\..\RunOnce: [d3uo.exe] C:\WINDOWS\d3uo.exe
O4 - HKLM\..\RunOnce: [msal.exe] C:\WINDOWS\system32\msal.exe
O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\system32\ipff32.exe
O4 - HKLM\..\RunOnce: [netda32.exe] C:\WINDOWS\system32\netda32.exe
O4 - HKLM\..\RunOnce: [winjc.exe] C:\WINDOWS\system32\winjc.exe
O4 - HKLM\..\RunOnce: [ntdo.exe] C:\WINDOWS\ntdo.exe
O4 - HKLM\..\RunOnce: [atlii32.exe] C:\WINDOWS\atlii32.exe
O4 - HKLM\..\RunOnce: [netgp.exe] C:\WINDOWS\netgp.exe
O4 - HKLM\..\RunOnce: [d3wk32.exe] C:\WINDOWS\d3wk32.exe
O4 - HKLM\..\RunOnce: [netbe.exe] C:\WINDOWS\netbe.exe
O4 - HKLM\..\RunOnce: [apikf32.exe] C:\WINDOWS\system32\apikf32.exe
O4 - HKLM\..\RunOnce: [winqh.exe] C:\WINDOWS\system32\winqh.exe
O4 - HKLM\..\RunOnce: [mfcoc32.exe] C:\WINDOWS\system32\mfcoc32.exe
O4 - HKLM\..\RunOnce: [syscw.exe] C:\WINDOWS\syscw.exe
O4 - HKLM\..\RunOnce: [atlgy.exe] C:\WINDOWS\atlgy.exe
O4 - HKLM\..\RunOnce: [apphw.exe] C:\WINDOWS\system32\apphw.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\system32\ipuo.exe
O4 - HKLM\..\RunOnce: [apptc32.exe] C:\WINDOWS\system32\apptc32.exe
O4 - HKLM\..\RunOnce: [d3yw.exe] C:\WINDOWS\system32\d3yw.exe
O4 - HKLM\..\RunOnce: [iemy32.exe] C:\WINDOWS\iemy32.exe
O4 - HKLM\..\RunOnce: [crri.exe] C:\WINDOWS\system32\crri.exe
O4 - HKLM\..\RunOnce: [apiel32.exe] C:\WINDOWS\system32\apiel32.exe
O4 - HKLM\..\RunOnce: [netet.exe] C:\WINDOWS\system32\netet.exe
O4 - HKLM\..\RunOnce: [d3hc32.exe] C:\WINDOWS\system32\d3hc32.exe
O4 - HKLM\..\RunOnce: [ipne32.exe] C:\WINDOWS\system32\ipne32.exe
O4 - HKLM\..\RunOnce: [mslp.exe] C:\WINDOWS\mslp.exe
O4 - HKLM\..\RunOnce: [sdkpb.exe] C:\WINDOWS\system32\sdkpb.exe
O4 - HKLM\..\RunOnce: [mfcuv32.exe] C:\WINDOWS\mfcuv32.exe
O4 - HKLM\..\RunOnce: [appec.exe] C:\WINDOWS\appec.exe
O4 - HKLM\..\RunOnce: [ipcr32.exe] C:\WINDOWS\system32\ipcr32.exe
O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
O4 - HKLM\..\RunOnce: [apivt.exe] C:\WINDOWS\apivt.exe
O4 - HKLM\..\RunOnce: [appka.exe] C:\WINDOWS\system32\appka.exe
O4 - HKLM\..\RunOnce: [mspd32.exe] C:\WINDOWS\system32\mspd32.exe
O4 - HKLM\..\RunOnce: [winvf.exe] C:\WINDOWS\winvf.exe
O4 - HKLM\..\RunOnce: [javaiz32.exe] C:\WINDOWS\system32\javaiz32.exe
O4 - HKLM\..\RunOnce: [netnj32.exe] C:\WINDOWS\system32\netnj32.exe
O4 - HKLM\..\RunOnce: [applz32.exe] C:\WINDOWS\applz32.exe
O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe
O4 - HKLM\..\RunOnce: [netqa32.exe] C:\WINDOWS\netqa32.exe
O4 - HKLM\..\RunOnce: [winvv.exe] C:\WINDOWS\system32\winvv.exe
O4 - HKLM\..\RunOnce: [netlq32.exe] C:\WINDOWS\netlq32.exe
O4 - HKLM\..\RunOnce: [addyk.exe] C:\WINDOWS\addyk.exe
O4 - HKLM\..\RunOnce: [syszk32.exe] C:\WINDOWS\system32\syszk32.exe
O4 - HKLM\..\RunOnce: [javaem.exe] C:\WINDOWS\system32\javaem.exe
O4 - HKLM\..\RunOnce: [ipiq.exe] C:\WINDOWS\system32\ipiq.exe
O4 - HKLM\..\RunOnce: [addns32.exe] C:\WINDOWS\system32\addns32.exe
O4 - HKLM\..\RunOnce: [mfcax.exe] C:\WINDOWS\system32\mfcax.exe
O4 - HKLM\..\RunOnce: [sysgr32.exe] C:\WINDOWS\system32\sysgr32.exe
O4 - HKLM\..\RunOnce: [crwg.exe] C:\WINDOWS\crwg.exe
O4 - HKLM\..\RunOnce: [apijj32.exe] C:\WINDOWS\apijj32.exe
O4 - HKLM\..\RunOnce: [winuz.exe] C:\WINDOWS\system32\winuz.exe
O4 - HKLM\..\RunOnce: [crzt32.exe] C:\WINDOWS\system32\crzt32.exe
O4 - HKLM\..\RunOnce: [addcf32.exe] C:\WINDOWS\system32\addcf32.exe
O4 - HKLM\..\RunOnce: [d3ih.exe] C:\WINDOWS\system32\d3ih.exe
O4 - HKLM\..\RunOnce: [iphv32.exe] C:\WINDOWS\system32\iphv32.exe
O4 - HKLM\..\RunOnce: [ippd32.exe] C:\WINDOWS\system32\ippd32.exe
O4 - HKLM\..\RunOnce: [appuf.exe] C:\WINDOWS\system32\appuf.exe
O4 - HKLM\..\RunOnce: [mfctn.exe] C:\WINDOWS\mfctn.exe
O4 - HKLM\..\RunOnce: [syszh.exe] C:\WINDOWS\system32\syszh.exe
O4 - HKLM\..\RunOnce: [mscr.exe] C:\WINDOWS\system32\mscr.exe
O4 - HKLM\..\RunOnce: [ipil32.exe] C:\WINDOWS\ipil32.exe
O4 - HKLM\..\RunOnce: [winit32.exe] C:\WINDOWS\system32\winit32.exe
O4 - HKLM\..\RunOnce: [javavn.exe] C:\WINDOWS\system32\javavn.exe
O4 - HKLM\..\RunOnce: [mfcgo.exe] C:\WINDOWS\mfcgo.exe
O4 - HKLM\..\RunOnce: [systi32.exe] C:\WINDOWS\system32\systi32.exe
O4 - HKLM\..\RunOnce: [wintq32.exe] C:\WINDOWS\system32\wintq32.exe
O4 - HKLM\..\RunOnce: [apien.exe] C:\WINDOWS\system32\apien.exe
O4 - HKLM\..\RunOnce: [iesr.exe] C:\WINDOWS\system32\iesr.exe
O4 - HKLM\..\RunOnce: [sdkxl32.exe] C:\WINDOWS\system32\sdkxl32.exe
O4 - HKLM\..\RunOnce: [winla.exe] C:\WINDOWS\system32\winla.exe
O4 - HKLM\..\RunOnce: [javarc32.exe] C:\WINDOWS\javarc32.exe
O4 - HKLM\..\RunOnce: [winuo.exe] C:\WINDOWS\system32\winuo.exe
O4 - HKLM\..\RunOnce: [crzi32.exe] C:\WINDOWS\crzi32.exe
O4 - HKLM\..\RunOnce: [ieen.exe] C:\WINDOWS\system32\ieen.exe
O4 - HKLM\..\RunOnce: [sdkjp32.exe] C:\WINDOWS\system32\sdkjp32.exe
O4 - HKLM\..\RunOnce: [mfche.exe] C:\WINDOWS\mfche.exe
O4 - HKLM\..\RunOnce: [sysgm32.exe] C:\WINDOWS\sysgm32.exe
O4 - HKLM\..\RunOnce: [apike32.exe] C:\WINDOWS\apike32.exe
O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
O4 - HKLM\..\RunOnce: [mswp32.exe] C:\WINDOWS\mswp32.exe
O4 - HKLM\..\RunOnce: [croq.exe] C:\WINDOWS\croq.exe
O4 - HKLM\..\RunOnce: [crtm32.exe] C:\WINDOWS\crtm32.exe
O4 - HKLM\..\RunOnce: [crib32.exe] C:\WINDOWS\system32\crib32.exe
O4 - HKLM\..\RunOnce: [apinf32.exe] C:\WINDOWS\apinf32.exe
O4 - HKLM\..\RunOnce: [crir32.exe] C:\WINDOWS\system32\crir32.exe
O4 - HKLM\..\RunOnce: [iemv.exe] C:\WINDOWS\iemv.exe
O4 - HKLM\..\RunOnce: [msvw32.exe] C:\WINDOWS\system32\msvw32.exe
O4 - HKLM\..\RunOnce: [d3cs32.exe] C:\WINDOWS\d3cs32.exe
O4 - HKLM\..\RunOnce: [ipgp.exe] C:\WINDOWS\system32\ipgp.exe
O4 - HKLM\..\RunOnce: [mfckb.exe] C:\WINDOWS\mfckb.exe
O4 - HKLM\..\RunOnce: [mfcnk32.exe] C:\WINDOWS\mfcnk32.exe
O4 - HKLM\..\RunOnce: [ieso32.exe] C:\WINDOWS\ieso32.exe
O4 - HKLM\..\RunOnce: [apina32.exe] C:\WINDOWS\system32\apina32.exe
O4 - HKLM\..\RunOnce: [ipse.exe] C:\WINDOWS\system32\ipse.exe
O4 - HKLM\..\RunOnce: [netaf32.exe] C:\WINDOWS\system32\netaf32.exe
O4 - HKLM\..\RunOnce: [nethc.exe] C:\WINDOWS\system32\nethc.exe
O4 - HKLM\..\RunOnce: [netvq.exe] C:\WINDOWS\system32\netvq.exe
O4 - HKLM\..\RunOnce: [sysav.exe] C:\WINDOWS\sysav.exe
O4 - HKLM\..\RunOnce: [ipug.exe] C:\WINDOWS\system32\ipug.exe
O4 - HKLM\..\RunOnce: [mfckn.exe] C:\WINDOWS\system32\mfckn.exe
O4 - HKLM\..\RunOnce: [winug32.exe] C:\WINDOWS\winug32.exe
O4 - HKLM\..\RunOnce: [addoz.exe] C:\WINDOWS\addoz.exe
O4 - HKLM\..\RunOnce: [msmn.exe] C:\WINDOWS\system32\msmn.exe
O4 - HKLM\..\RunOnce: [addir.exe] C:\WINDOWS\addir.exe
O4 - HKLM\..\RunOnce: [apibj32.exe] C:\WINDOWS\system32\apibj32.exe
O4 - HKLM\..\RunOnce: [ntrr.exe] C:\WINDOWS\system32\ntrr.exe
O4 - HKLM\..\RunOnce: [d3vv32.exe] C:\WINDOWS\d3vv32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\javafd.exe
O4 - HKLM\..\RunOnce: [crks32.exe] C:\WINDOWS\crks32.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\system32\javazp32.exe
O4 - HKLM\..\RunOnce: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - HKLM\..\RunOnce: [iejb.exe] C:\WINDOWS\iejb.exe
O4 - HKLM\..\RunOnce: [atluy32.exe] C:\WINDOWS\system32\atluy32.exe
O4 - HKLM\..\RunOnce: [netkn.exe] C:\WINDOWS\netkn.exe
O4 - HKLM\..\RunOnce: [addqp32.exe] C:\WINDOWS\addqp32.exe
O4 - HKLM\..\RunOnce: [msgf.exe] C:\WINDOWS\system32\msgf.exe
O4 - HKLM\..\RunOnce: [iptz32.exe] C:\WINDOWS\system32\iptz32.exe
O4 - HKLM\..\RunOnce: [ntth32.exe] C:\WINDOWS\system32\ntth32.exe
O4 - HKLM\..\RunOnce: [atlyj32.exe] C:\WINDOWS\atlyj32.exe
O4 - HKLM\..\RunOnce: [msdh32.exe] C:\WINDOWS\msdh32.exe
O4 - HKLM\..\RunOnce: [ntic32.exe] C:\WINDOWS\ntic32.exe
O4 - HKLM\..\RunOnce: [addcb.exe] C:\WINDOWS\addcb.exe
O4 - HKLM\..\RunOnce: [mfcbg32.exe] C:\WINDOWS\system32\mfcbg32.exe
O4 - HKLM\..\RunOnce: [mfcbi32.exe] C:\WINDOWS\system32\mfcbi32.exe
O4 - HKLM\..\RunOnce: [iegc32.exe] C:\WINDOWS\system32\iegc32.exe
O4 - HKLM\..\RunOnce: [syspq.exe] C:\WINDOWS\system32\syspq.exe
O4 - HKLM\..\RunOnce: [criv32.exe] C:\WINDOWS\criv32.exe
O4 - HKLM\..\RunOnce: [winso32.exe] C:\WINDOWS\winso32.exe
O4 - HKLM\..\RunOnce: [atlfq32.exe] C:\WINDOWS\atlfq32.exe
O4 - HKLM\..\RunOnce: [msqj32.exe] C:\WINDOWS\system32\msqj32.exe
O4 - HKLM\..\RunOnce: [ntdl.exe] C:\WINDOWS\ntdl.exe
O4 - HKLM\..\RunOnce: [d3in.exe] C:\WINDOWS\d3in.exe
O4 - HKLM\..\RunOnce: [ipsg32.exe] C:\WINDOWS\system32\ipsg32.exe
O4 - HKLM\..\RunOnce: [appya.exe] C:\WINDOWS\system32\appya.exe
O4 - HKLM\..\RunOnce: [mfcxo.exe] C:\WINDOWS\mfcxo.exe
O4 - HKLM\..\RunOnce: [ntbs.exe] C:\WINDOWS\system32\ntbs.exe
O4 - HKLM\..\RunOnce: [atlhm32.exe] C:\WINDOWS\system32\atlhm32.exe
O4 - HKLM\..\RunOnce: [atlah32.exe] C:\WINDOWS\system32\atlah32.exe
O4 - HKLM\..\RunOnce: [msgc.exe] C:\WINDOWS\system32\msgc.exe
O4 - HKLM\..\RunOnce: [winfj.exe] C:\WINDOWS\winfj.exe
O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
O4 - HKLM\..\RunOnce: [atlpk32.exe] C:\WINDOWS\atlpk32.exe
O4 - HKLM\..\RunOnce: [addtm32.exe] C:\WINDOWS\addtm32.exe
O4 - HKLM\..\RunOnce: [atlmf.exe] C:\WINDOWS\system32\atlmf.exe
O4 - HKLM\..\RunOnce: [ipij.exe] C:\WINDOWS\system32\ipij.exe
O4 - HKLM\..\RunOnce: [crak32.exe] C:\WINDOWS\system32\crak32.exe
O4 - HKLM\..\RunOnce: [ierr.exe] C:\WINDOWS\system32\ierr.exe
O4 - HKLM\..\RunOnce: [appvn32.exe] C:\WINDOWS\system32\appvn32.exe
O4 - HKLM\..\RunOnce: [winew.exe] C:\WINDOWS\system32\winew.exe
O4 - HKLM\..\RunOnce: [winkk32.exe] C:\WINDOWS\system32\winkk32.exe
O4 - HKLM\..\RunOnce: [winyh32.exe] C:\WINDOWS\winyh32.exe
O4 - HKLM\..\RunOnce: [javadl32.exe] C:\WINDOWS\system32\javadl32.exe
O4 - HKLM\..\RunOnce: [addyx32.exe] C:\WINDOWS\addyx32.exe
O4 - HKLM\..\RunOnce: [atldb.exe] C:\WINDOWS\atldb.exe
O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\appmc32.exe
O4 - HKLM\..\RunOnce: [appaz32.exe] C:\WINDOWS\system32\appaz32.exe
O4 - HKLM\..\RunOnce: [d3xv32.exe] C:\WINDOWS\d3xv32.exe
O4 - HKLM\..\RunOnce: [appah32.exe] C:\WINDOWS\system32\appah32.exe
O4 - HKLM\..\RunOnce: [apifl.exe] C:\WINDOWS\system32\apifl.exe
O4 - HKLM\..\RunOnce: [mfcol32.exe] C:\WINDOWS\system32\mfcol32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
  • 0

#4
coe
Posted 11 July 2005 - 06:05 PM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Things have gone from bad to worse I'm afraid. While I was out of the house, someone who doesn't know computers very well ended up installing all sorts of adware (Antivirus Gold, etc.). Now my desktop is blue and has an error message talking about some error in IE, telling me to scan with an anti spyware program. Attached are some screen shots. In short, I'm in way over my head....Below is the most recent Hijack This log (after scanning in safe mode with Spybot S&D, Ad-aware and McAfee):

Logfile of HijackThis v1.99.1
Scan saved at 5:04:26 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\crpi32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\system32\intmon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\apiik32.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\popuper.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpCEE8.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [apiik32.exe] C:\WINDOWS\system32\apiik32.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crpi32.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Attached Thumbnails

  • desktop.JPG
  • desktop2.JPG

  • 0

#5
Trevuren
Posted 11 July 2005 - 06:41 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I don't know where to begin..... The logs look so different. Your system has 2 or more of the worst infections it could have: a vey difficult variant of the About:Blank infection and a variant of the Smithfraud infection. I must try to get the first before anything else because going for the second first will only make the first ten times more difficult to treat.

A lot of your trouble, in my opinion is coming from your "Free download manager". These free things are usually bundled with junk. Taking care of this one will not help your screen.
-----------------------------------------------------------

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download and install these programs - DON'T RUN THEM YET!!
  • Please download and unzip About:Buster to a folder on your Desktop. Inside the folder is a readme file that has instructions on the use of the program.
    • AboutBuster MUST be updated before you use it.
    • Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
  • Please download and install AD-Aware.
    Check Here on how setup and use it - please make sure you update it first.

  • Download HSfix from HERE and unzip it to your desktop.


  • Download CW-Shredder at the link below:
    http://cwshredder.ne...CWSshtreder.exe

  • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" is checked.
    • Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply" then "OK"
  • For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that.
    Do this so you can see hidden files and folders - click HERE to download XPhidden.zip by David Higham. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok. Click on the Extended Tab.

Scroll down and find the service called:

Remote Procedure Call (RPC) Helper

2. When you find it,
  • double-click on it.
  • In the next window that opens, click the Stop
    button
  • Then click on properties and under the General Tab
  • Change the Startup Type to Disabled.
  • Now hit Apply and then Ok and close any open windows.
If you don´t find this service listed go ahead with the next steps.

3. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

4. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\crpi32.exe

If you find the files, highlight them, and then click End Process => Exit the Task Manager.


5. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dhcah.dll/sp.html#52409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [apiik32.exe] C:\WINDOWS\system32\apiik32.exe
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crpi32.exe


6. Delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\crpi32.exe
C:\WINDOWS\dhcah.dll
C:\WINDOWS\system32\apiik32.e


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

7. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with AdAware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin


10. Double click on the HSfix and when asked to merge say yes.

11. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

12. Reboot into normal mode.

13. Download the Hoster from:HERE. Press "Restore Original Hosts" and press "OK". Exit Program.

14. Download and run this online virus scan:The site is often slow to appear)
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

If it says that you need to download an Active X element from their site, please do so. It is safe

15. Reboot and post a fresh Hijack This log for review.

Regards,

Trevuren
  • 0

#6
coe
Posted 11 July 2005 - 10:18 PM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I don't know how much headway was made...Reformatting my hardrive is looking better and better.

There was no "dhcah.dll" file in C:/WINDOWS (only a "ddhcah.log").

Logfile of HijackThis v1.99.1
Scan saved at 9:14:23 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\ipqr32.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\intmonp.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\intmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
C:\WINDOWS\javaxj32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpDF44.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [javaxj32.exe] C:\WINDOWS\javaxj32.exe
O4 - HKLM\..\RunOnce: [iekf.exe] C:\WINDOWS\iekf.exe
O4 - HKLM\..\RunOnce: [addnq32.exe] C:\WINDOWS\addnq32.exe
O4 - HKLM\..\RunOnce: [ipqr32.exe] C:\WINDOWS\system32\ipqr32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crpi32.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Once again, your advice is much appreciated.
  • 0

#7
Trevuren
Posted 11 July 2005 - 10:46 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Wonderful job in getting rid of the About:blanl infection. I will be back with the Smithfraud fix in about 20 minutes. Just do this as well as you did the other and you will be a happy person.


Trevuren
  • 0

#8
coe
Posted 11 July 2005 - 10:52 PM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Whatever you say, I am at your service :tazz:
  • 0

#9
Trevuren
Posted 11 July 2005 - 11:00 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Remote Procedure Call (RPC) Helper
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


2. Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpDF44.tmp
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [javaxj32.exe] C:\WINDOWS\javaxj32.exe
O4 - HKLM\..\RunOnce: [iekf.exe] C:\WINDOWS\iekf.exe
O4 - HKLM\..\RunOnce: [addnq32.exe] C:\WINDOWS\addnq32.exe
O4 - HKLM\..\RunOnce: [ipqr32.exe] C:\WINDOWS\system32\ipqr32.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crpi32.exe (file missing)

Now, using Windows Explorer, DELETE the following files/folders (with all their content), if they still exist:

C:\WINDOWS\javaxj32.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\iekf.exe
C:\WINDOWS\addnq32.exe
C:\WINDOWS\system32\ipqr32.exe
C:\Program Files\Free Download Manager<===Folder
C:\WINDOWS\crpi32.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Regards, and Good Luck. I know you will do well


Trevuren
  • 0

#10
coe
Posted 12 July 2005 - 03:50 AM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Background issue is gone (thank you), haven't noticed a pop up yet either. Attached is a screen cap of the Desktop Customization option I think you were referring to ("Security Info")? I unchecked it ("make this available offline").

Also, I could not find "msmsgs.exe in C:/WINDOWS/system32 (or in WINDOWS). Thus, there was no "O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe" in the HJT scan I could fix. And I could not find "crpi32.exe" either, though there was a "crip32.exe" in WINDOWS (I did not delete).

Below are the logs:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, July 11, 2005 7:13:16 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R347 26.10.2004
Internal build : 281
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1379284 Bytes
Signature data size : 1356739 Bytes
Reference data size : 22481 Bytes
Signatures total : 29961
Target categories : 10
Target families : 587

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:80 %
Total physical memory:785712 kb
Available physical memory:627812 kb
Total page file size:1529676 kb
Available on page file:1446784 kb
Total virtual memory:2097024 kb
Available virtual memory:2049856 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


7-11-2005 7:13:16 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-12-2005 1:50:41 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-12-2005 1:50:46 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-12-2005 1:50:49 AM
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 2/13/2002 1:59:13 AM
Last accessed : 7/11/2005 7:00:00 AM
Last modified : 8/4/2004 7:56:56 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-12-2005 1:50:49 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 2/13/2002 1:59:01 AM
Last accessed : 7/11/2005 7:00:00 AM
Last modified : 8/4/2004 7:56:50 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-12-2005 1:50:51 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 2/13/2002 1:59:16 AM
Last accessed : 7/11/2005 7:00:00 AM
Last modified : 8/4/2004 7:56:58 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-12-2005 1:50:52 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 2/13/2002 1:59:16 AM
Last accessed : 7/11/2005 7:00:00 AM
Last modified : 8/4/2004 7:56:58 AM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-12-2005 1:52:51 AM
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 6/26/2003 7:37:20 PM
Last accessed : 7/11/2005 7:00:00 AM
Last modified : 8/4/2004 7:56:50 AM

#:8 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-12-2005 2:13:05 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 4/10/2004 10:14:27 PM
Last accessed : 7/11/2005 7:00:00 AM
Last modified : 7/13/2003 5:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CommonName Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}


CommonName Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{1e1b286c-88ff-11d2-8d96-d7acac95951f}


Windows Object recognized!
Type : RegData
Data :
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value : Shell
Data :


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 3


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Vulnerability
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 4


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for C:\1Mevlana\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Acrobat3\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\ADOBEAPP\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\BJPrinter\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Config.Msi\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Application Data\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Cookies\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Desktop\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Favorites\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Local Settings\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\My Documents\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\NetHood\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\PrintHood\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Recent\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\SendTo\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\sitebuilder\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Start Menu\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\Templates\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\UserData\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Documents and Settings\Owner\WINDOWS\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\FastTrackProfiles\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\FOUND.000\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\FOUND.001\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\FOUND.002\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\FOUND.003\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\GameSpy Arcade Setup\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\KPCMS\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\KWORD3\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\MSOffice\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\My Downloads\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\my music\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\NVIDIA\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\PM65\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Adobe\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Ahead\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Analog Devices\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\aod\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\ArcSoft\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\BestBuy\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\BitTorrent\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Caere\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Canon\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\CharacterEyes Limited for QuickLink\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Common Files\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\CyberLink\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\directx\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\DivX\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Elaborate Bytes\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\FLT\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\GameSpy Arcade\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\ICQLite\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\InstallShield Installation Information\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Intel\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Internet Explorer\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\JavaSoft\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\JquickTrans\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\KaZaA Lite\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Lavasoft\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Logitech\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\McAfee.com\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Messenger\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Microsoft ActiveSync\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\microsoft frontpage\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Microsoft Hardware\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Microsoft Works\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Movie Maker\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\MSN Gaming Zone\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\MSN Messenger\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\NetMeeting\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Online Services\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Ordix Mpack LE\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Outlook Express\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Peter\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\QuickLink Desktop\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\QuickTime\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Real\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\SEC\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\shizmoo\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Steam\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\SysAI\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\TLI\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Trillian\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Uninstall Information\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\VideoLAN\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Viewpoint\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Winamp\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Windows Media Player\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Windows NT\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\WindowsUpdate\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\WinMX\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\WinRAR\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Wolfenstein - Enemy Territory\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\xerox\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\XviD\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Program Files\Yahoo SiteBuilder\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Recycled\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\System Volume Information\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\Temp\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\WINDOWS\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\WORDBOOK\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4

Disk scan result for C:\WUTemp\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 4


7:36:11 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:22:54:297
Objects scanned :329271
Objects identified :4
Objects ignored :0
New objects :4
----------------------------------------
Activescan log:

Incident Status Location

Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\shnlog.exe
Virus:Trj/Puper.C Disinfected Operating system
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\intmon.exe
Virus:Trj/Clicker.HP Disinfected Operating system
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\hpDF44.tmp
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Adware:Adware/FlashTrack No disinfected C:\Program Files\Flt
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.???
Adware:Adware/SearchAid No disinfected Windows Registry
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\downloaded program files\mediaticketsinstaller.ocx
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
Adware:Adware/Midaddle No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Owner\Favorites\online dating.url
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\intmonp.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\ole32vbs.exe
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Owner\Application Data\PSGuard.com
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\bqrufs5f.dat
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.log
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\hpDF44.tmp
Virus:Trj/Puper.C Disinfected C:\WINDOWS\system32\intmonp.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\ole32vbs.exe
Virus:Trj/Downloader.DLB Disinfected C:\WINDOWS\system32\msmsgs.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\intmon.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\shnlog.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Take It Here - Free [bleep] TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Network Security.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Spam Filters.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Owner\Favorites\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Web Detective.url
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
Adware:Adware/Antivirus-gold No disinfected C:\Program Files\AntivirusGold\AntivirusGold.exe
-----------------------------------
Smitfiles:

Pre-run Files Present


~~~ Program Files ~~~

AntiVirusGold


~~~ Shortcuts ~~~

PSGuard.com


~~~ system32 ~~~

wp.bmp
ole32vbs.exe
shnlog.exe
intmon.exe
hhk.dll
logfiles


~~~ Windows directory ~~~

screen.html
sites.ini


~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!
-------------------------
Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:54:42 AM, 7/12/2005
+ Report-Checksum: E5B107D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{045AE71F-801F-4A71-C593-6529CE594056} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{08BFBA35-C44B-38A4-2263-278430DC9376} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0B6BE68E-B55A-5883-3DBC-30D73208D3E7} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0E37D9E0-99E3-DA14-3197-60132338963E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1228458E-6B19-48F4-5449-A00AEE93F0FC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F6A3B74-3D40-4D48-4D55-E3A0A8029CC2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2CB91DCB-A5E9-DD47-0B46-E2380FC72EF2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2D7C78D3-F49A-8BD3-9A98-41F319D802B2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{33EBB320-A2D5-6FD7-6D31-BA458C872ABD} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{35CDCE87-6BD6-878A-D4C9-24118A153D34} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3757D8EC-FD1D-A2F5-366B-C8C2FEE89B04} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{38D4E2FB-BB30-60CB-0D77-12064B5A0EE4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3CEB882D-6B2B-4D81-A544-9D9B1D6FA945} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3F81823D-B4B4-C3D2-CE8E-E8BB4EF4D52F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{66DEB589-B6D4-E95E-2E36-26287464CD11} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6A493714-8012-621E-A09E-CD80FF52FB1F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{742CF04D-EE46-1423-E899-B91C547ABC20} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75877E2E-FCC5-29D8-75DB-DF6BCC96E791} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{76321C6A-B800-93A4-24BB-B1F318D2A8E0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{77E35B59-5DBF-CA0F-2037-00B52E21E874} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{792A038A-9C16-9885-5B25-CE939788172A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{792E2C95-AEBD-D9B8-E958-AD1BB5A3D9BA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7DE152D8-309F-6788-9563-DF3BA708A2CC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E562404-C395-FEAE-9587-21D1288BA8BF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83CBE2FB-4038-4351-9B1C-E69BF75962AA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{89A41BA6-8DED-9D6C-F52D-289B010E519A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F97B6E9-C174-2E0C-BAF8-5BB263486A64} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A9C2FD6D-46F4-42AA-9928-C3DEE310A934} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B7C06F7A-7E5B-8248-7CE7-E61C97F1037E} -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BB35FD19-38F4-89DC-FA76-BA6507A5C6D7} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C3802DB0-6240-6D7A-3197-2AC5C46F55B7} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C432F8C9-5E41-F564-674E-C21B8257061B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C74DF792-DD4B-4B33-4D25-BB3E8A211BB3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C7FBD51E-BEF2-5C0F-8979-E4567626007B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C8ECE32F-6478-B278-BA63-C2FD89E2DCF5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D80AA516-E153-738B-D9EF-24D6EAF3C13B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DA78BE1D-07FE-B346-204E-C738DF8C7F8D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DA826568-8230-C8BC-199C-3E738A0E5A48} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF7346F5-4EB1-7F19-9320-5E86CBCBDA80} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E36A99D7-088F-A5E8-1BA4-87116D938D49} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E8A06DEA-6626-407D-5720-FE211C989AC1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E8C74323-6EAC-41DF-4232-E6575DCCE375} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EAE338CA-76EC-EAE9-7C17-A152A831A537} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EE5F21BB-197A-041B-53A6-055C6B35DD91} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F18BEDAC-18C9-04F5-6A22-BB6F60F9B61C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F22C21C3-2FA8-F0A7-72B3-7927ADEFC66E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F317424C-8ECC-86C7-5E5B-7AA1BD81D1C4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB118E8B-875C-AD27-289B-C22A5B4AA454} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A94C367-815A-4D4F-A6B6-D4EB877A126C} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKU\S-1-5-21-2376740472-2752991226-3942243025-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{FF6B2FD5-093C-4D4F-BB98-5641130A9DE6} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-2376740472-2752991226-3942243025-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{045AE71F-801F-4A71-C593-6529CE594056} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2376740472-2752991226-3942243025-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2CB91DCB-A5E9-DD47-0B46-E2380FC72EF2} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2376740472-2752991226-3942243025-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75877E2E-FCC5-29D8-75DB-DF6BCC96E791} -> Spyware.CoolWebSearch : Cleaned with backup
C:\WINDOWS\system32\ippp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addrd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\wineh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iedd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netce.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crum.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winom32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iera32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlhl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ielh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apiej.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apiha.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netsm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iexr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieri32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winop.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlrr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3fu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieov32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iprt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crfz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlub.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlpd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javavu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crnb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieos.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winsr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netfx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msrk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlqn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appoo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlcp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mswg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winle32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3td.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3wu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addgt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apish.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysut.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcmq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlsp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieyj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntxr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appcl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkxt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\adddv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appdj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addko32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3sz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msyw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iplq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcqa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdklo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winuw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netrb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcvt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crhb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netfi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysza32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkqj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipgt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipam32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appfg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfctr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crlv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netqp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netqf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apioy.exe -> Trojan.A

Attached Thumbnails

  • customize_desktop.JPG

  • 0

Advertisements

#11
coe
Posted 12 July 2005 - 04:00 AM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I'm sorry, I think I posted an incomplete (I stopped a scan once early and saved that log, which is in the previous post I think) Pandascan log before. Here is the *just* completed one:


Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\bqrufs5f.dat
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.log
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Take It Here - Free [bleep] TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Network Security.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Web Detective.url
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
Adware:Adware/nCase No disinfected C:\Temp\salm.log
Adware:Adware/nCase No disinfected C:\Temp\salm_gdf.dat
Adware:Adware/nCase No disinfected C:\Temp\salmau.dat
Adware:Adware/nCase No disinfected C:\Temp\salm_kyf.dat
-----------------------------
HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:59:58 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#12
Trevuren
Posted 12 July 2005 - 09:53 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I am very surprised that the procedure employed appears to have killed both infections at once.

1. Run HJT, Scan and place a checkmark beside the following item:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

Now, with all windows closed, click Fix checked and EXIT the program.

2. Try this for your screen:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

3. REBOOT your system

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review. Please tell me if your desktop is OK and inform of any other malware-related issues that your system may be experiencing.

Regards,

Trevuren
  • 0

#13
coe
Posted 12 July 2005 - 07:42 PM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My desktop is fixed it seems, thank you! May I delete the Favorites placed in IE by the malware (lots about loans, jobs, spam filters, etc.), or must I do something other than delete them to clean them off? Also how shall I go about removing "Antivirus Gold 2.0" (just delete folder, go through "Add/Remove Programs" in Control Panel, or some other way?)? The attached screenshot shows what is still in my Program Files folder.

Also attached is a screen shot of the Properties of "My Current Homepage" (under Display properties). I am just wondering if the URL is something to be suspiscious of "About:Home"?

Below is the latest HJT log. Thank you again for everything you've helped me with so far.

Logfile of HijackThis v1.99.1
Scan saved at 6:28:27 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Attached Thumbnails

  • my_current_homepage_properties.JPG
  • unwanted_malware2.JPG
  • unwanted_malware.JPG

Edited by coe, 12 July 2005 - 07:48 PM.

  • 0

#14
Trevuren
Posted 12 July 2005 - 08:22 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. You may DELETE all icons, favorites and anything else that is associated with this infection.

2. We will DELETE AVGold in Safe Mode later on.

3. Manually RESET your HomePage and Search Page, if required

4. Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following item:

O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe

Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Antivirus Gold<===Folder and all its content


Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks. Please also inform me of any more concerns that you may have about your system at this time.

Regards,

Trevuren
  • 0

#15
coe
Posted 12 July 2005 - 11:34 PM

coe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hopefully this is the last time I will trouble you, so you can help others or relax. Antivirus Gold shows up under "Add or Remove Programs" in Control Panel, even though it is no longer in my Start>Program Files (after deleting in Safe Mode). I really don't mind, I'm just wondering if that means anything.

Below is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:31 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
-----------------------------

You have really helped me out (something I didn't think possible, especially in such a clear and fast way), I will send my donation as soon as it gets in my Paypal account.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP