Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help with Aurora removal [CLOSED]


  • This topic is locked This topic is locked

#1
csinclair21

csinclair21

    Member

  • Member
  • PipPip
  • 13 posts
I've gone through all of the steps (ie Spybot, Antivirus program, etc.), but I'm still having some problems on my computer. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:14 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\hpdll\hpdll.exe
C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\mcm\mcm3.exe
C:\WINDOWS\system32\system.mcm
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MCM3] C:\WINDOWS\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Y356RXZ6i] hosiscon.exe
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

I'd really appreciate your help. Thanks!

Edited by csinclair21, 23 July 2005 - 07:07 PM.

  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
First:
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CCleaner and install it, but do not run it yet.

Please download this file: Revised Installer for the Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
++++++++++++++++++++++++++++++++++++++++++++
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Side Search
    • hpdll
    • Ebates_MoeMoneyMaker
  • Click Uninstall
  • Confirm with OK
++++++++++++++++++++++++++++++++++++++++++++
Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now as the action.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

++++++++++++++++++++++++++++++++++++++++++++
Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [MCM3] C:\WINDOWS\mcm\mcm3.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe

Fast Search in Office XP - similar to the new revision of the Find Fast feature in Office 2000. Fast Search uses the Indexing Services in Office XP to create a catalog of Office files on your computer's hard disk. As with Find Fast - a waste of resources.

O4 - HKCU\..\Run: [Y356RXZ6i] hosiscon.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.
NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.

++++++++++++++++++++++++++++++++++++++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\windows\system32\hosiscon.exe (or whatever the name may have changed to, as noted above).
  • C:\Program Files\hpdll <-- whole folder
  • C:\Program Files\Ebates_MoeMoneyMaker <-- whole folder
  • C:\Program Files\SideSearch <-- whole folder
Finally, Empty Recycle Bin

++++++++++++++++++++++++++++++++++++++++++++
Now run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply

Please include this in the post.
  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT

  • 0

#4
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you for your help. I've gone through your instructions, and here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:30 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\system.mcm
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

And here is the report log from the Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:13:22 PM, 7/24/2005
+ Report-Checksum: 8FB99D88

+ Scan result:

HKLM\SOFTWARE\BPT -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\135.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\27.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\64.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{86E5D74F-02EB-11D3-A464-0080C858F182} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{86E5D751-02EB-11D3-A464-0080C858F182} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{6B1BE80A-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{002EB272-2590-4693-B166-FBD5D9B6FEA6} -> Spyware.MultiMPP : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ACE-6851-45C3-A7FF-C281324D5489} -> Spyware.2nsSearch : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{26E8361F-BCE7-4F75-A347-98C88B418322} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E65A557-173C-4DE9-860B-28FC5CACA542} -> Spyware.FastFind : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7412C042-43B8-4F63-AEF3-E786DFAD1484} -> Spyware.SafeSurfing : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DC91DB-7896-43E3-B34D-A7D043F16BB1} -> Spyware.ClearStream : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} -> Spyware.ClearStream : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7EF827-47CC-48EB-B570-C367F1E1277E} -> Spyware.RideMG : Cleaned with backup
HKU\S-1-5-21-1078081533-764733703-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WUInst.dll -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\mcm\mcm3.exe -> TrojanProxy.Agent.fh : Cleaned with backup
C:\WINDOWS\twtvses.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\tqrhwaeut.exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\Plugins\MyWayPluginProxy.class -> Spyware.MyWay : Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Winamp\winamp.exe -> Worm.Bagle.o : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\A7DA32A3-2AB5-4C4C-A216-6E8255 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\A858E77D-0793-4B5E-848F-A88124 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\AA33FB84-327D-4B50-A903-811A5A -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\C7ADC64F-06D2-49B5-899B-A948D3 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\D52A0C5E-9776-40FE-8D08-A1B8CC -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\C0DFE540-08AB-49E2-BC05-E434A6 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\EA86931C-5F56-457D-A21C-418BED -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\C5D07EC0-9AC2-4E3A-82E6-4E6D7D -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\75D7413A-309B-4894-BCAE-BD3D08 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\20B43791-3530-4331-8046-320F13 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\A5838B21-AD5F-4FE1-AC3B-3ECE6B -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\03786CBC-1872-4BCA-BC78-C4D09F -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\BE6FE6A8-CFEB-46D4-BB6B-B66A78 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\04074F9F-C5B9-4CC2-9470-654F68 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A73887A6-7E10-4954-95B9-9652B5\DD7392E1-1FAB-4348-808F-CEBE95 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\792A2E0C-CD00-4A46-A193-40386F\97DC3B86-7C8B-474B-B8B2-37250A -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\792A2E0C-CD00-4A46-A193-40386F\0F638210-EEDC-45F4-A9CA-C01019 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\792A2E0C-CD00-4A46-A193-40386F\11C23B33-4936-4334-987D-E78F26 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\792A2E0C-CD00-4A46-A193-40386F\5E87A717-09CE-48B9-843C-619620 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5EC6DF68-DDCF-4A86-A59F-A494C4\A35AFB1D-1498-458F-A8E0-80254B -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5EC6DF68-DDCF-4A86-A59F-A494C4\794A464E-64D5-4300-9DAE-8EF264 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5EC6DF68-DDCF-4A86-A59F-A494C4\EB50AC41-91B4-4BD3-BFD1-617209 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5EC6DF68-DDCF-4A86-A59F-A494C4\F746ABA0-CAB3-4A25-9628-9D3CEC -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A44970F4-58FC-41DC-8A80-42AB76\6F3DC2AE-70C1-4A01-A7DB-C5A8AA -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A44970F4-58FC-41DC-8A80-42AB76\8AD6A8D2-0926-4FC1-BF02-995EA8 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A44970F4-58FC-41DC-8A80-42AB76\3CFF5EEC-1BEF-42A7-BA6C-91D390 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A44970F4-58FC-41DC-8A80-42AB76\D400EDF9-DB79-4CA4-9076-2F7C86 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A32BC008-5A76-432B-8B0D-4E3E7A\785836F8-7716-4562-B82B-F6E14B -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A32BC008-5A76-432B-8B0D-4E3E7A\5A661B36-4CBB-47C0-8C87-BF234B -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A32BC008-5A76-432B-8B0D-4E3E7A\A07020D4-AEA4-4480-A833-99970E -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A32BC008-5A76-432B-8B0D-4E3E7A\393E6C0A-4F87-48E7-A51D-30C45D -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\37FD3562-3641-48BA-BCD0-56D29C\DB93445B-246F-4D89-96D4-83EE70 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\37FD3562-3641-48BA-BCD0-56D29C\D3B33A3E-4215-450C-AD79-C56AA9 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\37FD3562-3641-48BA-BCD0-56D29C\99EE859E-F906-4B16-8898-531AFA -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\37FD3562-3641-48BA-BCD0-56D29C\92A4E61F-B3F7-46E7-A45F-8677A4 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6FF7007F-8B9C-4DC5-B632-F3552E\6561857A-73D1-41EB-A747-B6EA0F -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6FF7007F-8B9C-4DC5-B632-F3552E\FBD1DBB6-06F5-41D4-BDCD-20A047 -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6FF7007F-8B9C-4DC5-B632-F3552E\1AAC7B03-FF4B-43E4-A68D-D7C57C -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6FF7007F-8B9C-4DC5-B632-F3552E\D23AE077-9A2B-40B6-8664-C640DC -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C5589D55-1E30-4568-9F70-E4FBB8\B38BDAB3-357C-4F68-ABA7-6CC8DE -> Spyware.FlashEnhancer : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@ehg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@zero.ads360[1].txt -> Spyware.Cookie.Ads360 : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@hg1.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@ehg.hitbox[3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\All Users\Kate\Cookies\anyuser@www.hightrafficads[1].txt -> Spyware.Cookie.Hightrafficads : Cleaned with backup
C:\Documents and Settings\Katy\Cookies\katy@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Katy\Cookies\katy@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Katy\Cookies\katy@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Katy\Cookies\katy@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Katy\Cookies\katy@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Katy\Cookies\katy@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP730\A0089176.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP732\A0089212.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP732\A0089280.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP733\A0089410.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP734\A0089457.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP735\A0089462.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP735\A0089482.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP739\A0089557.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP739\A0089573.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP740\A0089576.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP741\A0089591.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP690\A0085291.exe -> Trojan.MulDrop.2057 : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP725\A0088034.DLL -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP725\A0088073.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP726\A0088083.exe -> Trojan.Agent.ee : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP726\A0088085.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP726\A0088086.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP727\A0089098.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP727\A0089119.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP729\A0089140.exe -> Adware.BetterInternet : Cleaned with backup

Finally, here is the Unistall Manager list:

Adaptec DirectCD
Adaptec Easy CD Creator 4
Ad-Aware SE Personal
Adobe Acrobat 5.0
AIM+ (remove only)
AOL Instant Messenger
ArcSoft Camera Suite 1.3
CCleaner (remove only)
Citrix ICA Client
CleanUp!
ClearStream Accelerator
Dell Solution Center
DellTouch
Directory Toolbar
DivX Codec
DivX Player
Documents and Tools
ESPNMotion
ewido security suite
Harley-Davidson® - Race Around The World
HijackThis 1.99.1
HostExplorer
HouseCall (for Netscape)
HP DeskJet 950C Series (Remove only)
HP PhotoSmart Photo Printing Software
Image Expert 2000 v3.2
IMwire
InterActual Player
InterVideo WinDVD
Iomega Tools for Windows 95
J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment Standard Edition v1.3.1_04
Kazaa Media Desktop 2.1.1
K-Lite Codec Pack 2.41 Standard
LimeWire
LimeWire 4.8.1
Linksys BEFCMU10 EtherFast Cable Modem with USB
LiveUpdate 1.90 (Symantec Corporation)
Microsoft AntiSpyware
Microsoft Interactive Training
Microsoft Money 2001
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Modem Helper
Mozilla Firefox (1.0)
MSN Messenger 6.2
MSN Music Assistant
MusicMatch Jukebox
PCFriendly
PhoneTools
PopUp Killer
QuickTime
RealPlayer
R-Studio Demo v2.0
Santa Cruz
Snood 2.2R (Full Version)
Spybot - Search & Destroy 1.4
The Playa
The Weather Channel
User's Guides
Viewpoint Media Player
VisualElementFXad
Winamp (remove only)
Winamp3 (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Access Kit
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Wireless PCI Card Configuration Utility

Once again, thank you for your help and I'm looking forward to your reply.

Thanks!
  • 0

#5
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in HERE
  • Install the VX2 Cleaner
  • Start Ad-Aware SE
  • Go to "Plug-ins"
  • Select the VX2 Cleaner plug-in and click "Run Plugin"
  • If your computer isn't infected, click "Close".
If your computer is infected
  • Select "Clean system"
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer
Reboot in SAFE MODE. (How to boot in Safe Mode...)
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
  • Click Uninstall
  • Confirm with OK
Open Ad-aware and do a full scan. Remove all it finds.

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\LimeWire <-- whole folder
  • C:\Program Files\IMWire <-- whole folder
  • C:\Program Files\Kazaa <-- whole folder
Finally, Empty Recycle Bin

Reboot back in NORMAL MODE.

To make sure it is perfectly clean let us have the final check.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

  • 0

#6
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
My computer seems to be running much better. I've gone through the steps you listed above, and here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:43:21 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\system.mcm
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Thanks again, I really appreciate your help.
  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Download L2mfix from one of these two locations:

Location 1: HERE
Location 2: HERE

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#8
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Hotbar 4.3.5.0"="Hotbar"
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"=""
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=""
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec Directcd Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
@="Compressed Folder Right Drag Handler"

[HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
@="Compressed Folder SendTo Target"
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,7a,00,69,00,70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,31,00,30,00,32,00,32,00,36,00,00,00
"NeverShowExt"=""
"NoOpen"="Drag Files onto this icon to compress them."
"EditFlags"=dword:00000001

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon]
@="C:\\WINDOWS\\SYSTEM32\\ZIPFLDR.DLL"

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx]

[HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx\DropHandler]
@="{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
mcinsctl.dll Mon Jul 18 2005 12:03:12p A.... 349,760 341.56 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
mcgdmgr.dll Tue May 24 2005 7:23:32p A.... 288,320 281.56 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
schdwrp.dll Mon May 9 2005 4:18:26p A.... 122,880 120.00 K
haghkdf.dll Sun May 15 2005 11:39:36p A.... 10,338 10.09 K
ljaevhea.dll Sun May 15 2005 11:39:36p A.... 15,305 14.95 K
ljyszpza.dll Sun May 15 2005 10:39:48p A.... 2,640 2.58 K

9 items found: 9 files, 0 directories.
Total of file sizes: 1,129,347 bytes 1.07 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 07D1-031B

Directory of C:\WINDOWS\System32

09/01/2002 10:12 PM <DIR> dllcache
09/01/2002 09:48 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 26,054,901,760 bytes free
  • 0

#9
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#10
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the l2mfix log:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Katy\Desktop\New Folder\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Katy\Desktop\New Folder\l2mfix
C:\Documents and Settings\Katy\Desktop\New Folder\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Katy\Desktop\New Folder\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1872 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed


Zipping up files for submission:
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 38%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 64%)
adding: lo2.txt (deflated 71%)
adding: test2.txt (deflated 25%)
adding: test3.txt (deflated 14%)
adding: test5.txt (deflated 14%)
adding: test.txt (stored 0%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/BD472F60-27FA-11cf-B8B4-444553540000.reg (deflated 64%)
adding: backregs/888DCA60-FC0A-11CF-8F0F-00C04FD7D062.reg (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BD472F60-27FA-11cf-B8B4-444553540000}"=-
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
[-HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


And here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 PM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Thank you again for taking your time to help me.
  • 0

Advertisements


#11
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Very good, you did great your log is much better now.

Place a shortcut to Panda ActiveScan on your desktop.

Reboot in SAFE MODE. (How to boot in Safe Mode...)

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#12
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the Ad-Aware log:

Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, July 29, 2005 10:01:22 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R56 21.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R56 21.07.2005
Internal build : 65
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 501264 Bytes
Total size : 1511688 Bytes
Signature data size : 1479157 Bytes
Reference data size : 32019 Bytes
Signatures total : 42142
CSI Fingerprints total : 979
CSI data size : 34474 Bytes
Target categories : 15
Target families : 718


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:47 %
Total physical memory:261196 kb
Available physical memory:122108 kb
Total page file size:631828 kb
Available on page file:547420 kb
Total virtual memory:2097024 kb
Available virtual memory:2044292 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-29-2005 10:01:22 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 252
ThreadCreationTime : 7-29-2005 10:59:07 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 308
ThreadCreationTime : 7-29-2005 10:59:10 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 332
ThreadCreationTime : 7-29-2005 10:59:12 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 376
ThreadCreationTime : 7-29-2005 10:59:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 388
ThreadCreationTime : 7-29-2005 10:59:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 528
ThreadCreationTime : 7-29-2005 10:59:16 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 576
ThreadCreationTime : 7-29-2005 10:59:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 624
ThreadCreationTime : 7-29-2005 10:59:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 676
ThreadCreationTime : 7-29-2005 10:59:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 732
ThreadCreationTime : 7-29-2005 10:59:19 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 960
ThreadCreationTime : 7-29-2005 10:59:30 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [ctfmon.exe]
ModuleName : C:\WINDOWS\system32\ctfmon.exe
Command Line : ctfmon.exe
ProcessID : 1276
ThreadCreationTime : 7-29-2005 10:59:54 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:13 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1832
ThreadCreationTime : 7-30-2005 2:01:10 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Katy\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 5




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

10:07:27 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:04.464
Objects scanned:120938
Objects identified:0
Objects ignored:0
New critical objects:0


The Edwido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:16:52 AM, 7/30/2005
+ Report-Checksum: 9965186F

+ Scan result:

:mozilla.24:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.265:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.285:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Katy\Application Data\Mozilla\Firefox\Profiles\9x27hq7a.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP742\A0089711.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP742\A0089712.exe -> TrojanProxy.Agent.fh : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP742\A0089715.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP742\A0089716.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{EA638BAD-21B4-40F1-982D-3F6403F625FA}\RP742\A0089717.exe -> Worm.Bagle.o : Cleaned with backup


::Report End


And the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:13 AM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  • 0

#13
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
You did it very well, nicely done!

:yes: :) :tazz: :( :woot: :tazz: :huh: :( :wub: :hug: :woot:


Congratulations! ;) your system is CLEAN!

WinXP Reset & All-Clean1

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
  • 0

#14
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I forgot to post the results of the panda scan. here they are....

Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/myway No disinfected C:\WINDOWS\SYSTEM32\Xcite.dll
Adware:adware/ezula No disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/gator No disinfected C:\WINDOWS\FT1_01_0_218_GEPFAH.EXE
Adware:adware/broadcastpc No disinfected C:\PROGRAM FILES\Bpt
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\FLEOK
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\KATY\FAVORITES\shop
Spyware:spyware/searchcentrix No disinfected HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/beginto No disinfected HKEY_CURRENT_USER\EEENNN
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/FlashTrack No disinfected C:\Program Files\Common Files\Java\flencpy.cfg
  • 0

#15
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Forget the clean log, we have to disinfect this again.


STEP 1
Open up NOTEPAD, then copy & paste the follwing codes (starting from REGEDIT4). Save it on desktop as fixme.reg. Choose file types as ALL FILES.

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR]

[-HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC]

[-HKEY_CURRENT_USER\EEENNN]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}]

[-HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}]
Now double-click fixme.reg then allow it to merge to the system.

STEP 2
Click HERE to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click Killbox.exe to run it.

Select "Delete on Reboot".

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C


C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\FT1_01_0_218_GEPFAH.EXE
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]
C:\WINDOWS\Downloaded Program Files\sdmtb.dll
C:\WINDOWS\inf\satmat.inf
C:\Program Files\Common Files\Java\flencpy.cfg



Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart in SAFE MODE and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

While still in safe mode:

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\PROGRAM FILES\Bpt <-- whole folder
  • C:\WINDOWS\SYSTEM32\FLEOK <-- whole folder
  • C:\DOCUMENTS AND SETTINGS\KATY\FAVORITES\shop <-- whole folder
Finally, Empty Recycle Bin

Reboot back in NORMAL MODE.

Have another Panda Scan then save the results.

To make sure it is perfectly clean let us have the final check.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Post the Panda Scan results too.
  • Please tell me how your system is working now.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP