Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Web Nexus Network Virus and Pop-ups [RESOLVED]


  • This topic is locked This topic is locked

#1
nredshaw

nredshaw

    Member

  • Member
  • PipPip
  • 11 posts
I can't clear up Web Nexus Network pop-up ads in IE and Firefox. It has an "uninstaller," but I have already heard about that. It uninstalls only connected to the internet and leaves a nice little package behind. No Thanks!

I have done Cleanup!, AVG, Ad-aware, Spybot S&D, Ewido, Trojan Hunter, spy sweeper and now HijackThis.
Here is my latest log. Please Help...

Thanks in advance :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:51 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ddecde.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ddecde.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ddecde] C:\WINDOWS\system32\ddecde.exe
O4 - HKCU\..\RunOnce: [ddecde] C:\WINDOWS\system32\ddecde.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120182203328
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKCU\..\Run: [ddecde] C:\WINDOWS\system32\ddecde.exe
O4 - HKCU\..\RunOnce: [ddecde] C:\WINDOWS\system32\ddecde.exe

4. Delete the folders. (if present)

C:\Program Files\E2G\

5. Delete the files. (if present)

C:\WINDOWS\system32\ddecde.exe

6. Reboot and post a new Hijackthis log here in a reply.
  • 0

#3
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks so much for your help...
Here is my HJT log....
I am still getting Web Nexus Network pop-ups... Sometimes the windows come up with "Action Cancelled" in the window with no ad content...

Logfile of HijackThis v1.99.1
Scan saved at 12:33:18 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgddgx.exe reg_run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120182203328
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.
  • 0

#5
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi, Ewido found 22 infected objects and cleaned them all.
the report is below the HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 8:19:51 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgddgx.exe reg_run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120182203328
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:09:26 PM, 8/21/2005
+ Report-Checksum: 94E51B7D

+ Scan result:

HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qtb8vagl.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ei.exe -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NCB8N1O5\ei[1].exe -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\HJT\backups\backup-20050821-112042-699.dll -> Spyware.E2Give : Cleaned with backup
C:\WINDOWS\etb\pokapoka63.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\xud_63.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\pss\dkcc.exeCommon Startup -> TrojanDownloader.Qoologic.aa : Cleaned with backup
C:\WINDOWS\system32\mѕhta.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\psbnds.exe -> TrojanSpy.VB.eh : Cleaned with backup


::Report End
  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgddgx.exe reg_run

4. Delete the files. (if present)

C:\WINDOWS\system32\kgddgx.exe

5. Reboot and post a new Hijackthis log here in a reply.
  • 0

#7
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Web Nexus Network is still generating pop-ups rrrrrgggg...
  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Follow my instructions in my last post above.

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgddgx.exe reg_run

4. Delete the files. (if present)

C:\WINDOWS\system32\kgddgx.exe

5. Reboot and post a new Hijackthis log here in a reply.


  • 0

#9
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Web Nexus Network has not generated a pop-up in awhile - hopefully that is a good sign....
However... kgddgx.exe is not allowing itself to be fixed by HJT or deleted. It says "Access is denied". It wasn't in Taskmanager to end task and delete. Properties didn't seem to restrict deletion - but file security is not my strong suit...
I went in both as Administrator and Owner...

Thanks again for your help...

Logfile of HijackThis v1.99.1
Scan saved at 11:01:56 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgddgx.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120182203328
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

Advertisements


#11
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I am away from my PC during the day, so I will need to do these steps when I get home this evening. Thanks for your persistence!

The Web Nexus Network pop-ups are still happening. I followed one thread where they suggested to clicke on the "click here to uninstall" link at the bottom of the pop-up screen and then worked on the "package" this bad boy left behind. - The thread had no positive resolution, so I don't know if they really cleaned it up.

Also, what might be causing the pop-ups to show up with a Windows "Action Cancelled". I don't think I have created an entry in my HOSTS file for this guy, because it never reveals a web address to use as a HOSTS entry.

Again, Thanks for your help!!

n
  • 0

#12
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Ok please dont do anything else just follow my instructions above then we will get your PC cleaned up.
  • 0

#13
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
therock247uk
Will do
n
  • 0

#14
nredshaw

nredshaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here are the three logs - HJT, Trackgoo, and WinPFind

Logfile of HijackThis v1.99.1
Scan saved at 7:29:12 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Notepad.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120182203328
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- gnkknsgn
{62bdb2c0-18ac-41ce-ac9b-18a2dea2f4b3}
C:\WINDOWS\system32\dnkkn.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}
C:\PROGRA~1\TROJAN~1.2\contmenu.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\Program Files\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
dkcc.exe
SpySubtract.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

desktop.ini
dkcc.exe
SpySubtract.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
RTSndMgr.CPL Realtek Semiconductor Corp.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
winsync 8/20/2005 6:07:30 PM 4523 C:\hijackthis 05 08 20 - 06 05 pm.log
qoologic 8/20/2005 8:10:40 PM 925 C:\log.txt
aspack 8/20/2005 8:10:40 PM 925 C:\log.txt
aspack 8/20/2005 8:08:42 PM 418 C:\win.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
69.59.186.63 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 8/2/2005 3:03:10 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 8/22/2005 6:09:16 PM 46080 C:\WINDOWS\SYSTEM32\djddjfd.dll
209.66.67.134 8/22/2005 6:09:16 PM 46080 C:\WINDOWS\SYSTEM32\djddjfd.dll
web-nex 8/22/2005 6:09:16 PM 46080 C:\WINDOWS\SYSTEM32\djddjfd.dll
winsync 8/22/2005 6:09:16 PM 46080 C:\WINDOWS\SYSTEM32\djddjfd.dll
69.59.186.63 8/22/2005 6:09:16 PM 10240 C:\WINDOWS\SYSTEM32\dnkkn.dll
209.66.67.134 8/22/2005 6:09:16 PM 10240 C:\WINDOWS\SYSTEM32\dnkkn.dll
web-nex 8/22/2005 6:09:16 PM 10240 C:\WINDOWS\SYSTEM32\dnkkn.dll
winsync 8/22/2005 6:09:16 PM 10240 C:\WINDOWS\SYSTEM32\dnkkn.dll
PTech 8/20/2004 3:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PEC2 8/1/2005 8:21:22 PM 67072 C:\WINDOWS\SYSTEM32\WinStat13.dll
PECompact2 8/1/2005 8:21:22 PM 67072 C:\WINDOWS\SYSTEM32\WinStat13.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 8/12/2005 8:27:50 AM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/12/2005 8:27:50 AM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/12/2005 8:27:50 AM 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 generic.vpptechnologies.com
127.0.0.1 images2.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 qoologic.com
127.0.0.1 adsrv.qoologic.com
127.0.0.1 updates.qoologic.com
127.0.0.1 www.qoologic.com
127.0.0.1 ad-w-a-r-e.com
127.0.0.1 www.ad-w-a-r-e.com
127.0.0.1 belt.abetterinternet.com
127.0.0.1 s.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com

qoologic 8/20/2005 9:53:34 PM 165207 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
PTech 8/20/2005 9:53:34 PM 165207 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
abetterinternet.com 8/20/2005 9:53:34 PM 165207 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
ad-w-a-r-e.com 8/20/2005 9:53:34 PM 165207 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/22/2005 6:35:12 PM S 2048 C:\WINDOWS\bootstat.dat
6/30/2005 8:43:54 PM H 0 C:\WINDOWS\inf\oem61.inf
6/30/2005 9:10:32 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_10.cab
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
6/30/2005 9:06:34 AM S 11437 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
6/30/2005 1:42:18 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
6/30/2005 2:21:10 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
6/30/2005 8:46:18 AM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
6/28/2005 7:12:56 PM S 11845 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
7/2/2005 3:18:16 AM S 9445 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB903235.cat
8/22/2005 6:35:04 PM H 8192 C:\WINDOWS\system32\config\default.LOG
8/22/2005 6:35:22 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/22/2005 6:35:12 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/22/2005 6:35:44 PM H 81920 C:\WINDOWS\system32\config\software.LOG
8/22/2005 6:35:16 PM H 913408 C:\WINDOWS\system32\config\system.LOG
8/10/2005 6:54:10 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
8/11/2005 3:21:36 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
8/22/2005 6:30:24 PM H 6 C:\WINDOWS\Tasks\SA.DAT
8/20/2005 9:48:52 PM H 160 C:\WINDOWS\Temp\CS0203871B-5E81-478E-A831-9F648B0F3B4F.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS02405123-B0FE-4C6E-B0FD-D189DD9500AD.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS0B93A311-BB9A-4665-8D52-0276902713AE.tmp
8/20/2005 9:52:30 PM H 1670318 C:\WINDOWS\Temp\CS0FD41C7C-513A-442A-84AD-A1773E7C0C86.tmp
8/20/2005 9:49:08 PM H 48 C:\WINDOWS\Temp\CS11C71C31-DCF0-477C-B002-29E15E4D6CD1.tmp
8/20/2005 9:49:08 PM H 162 C:\WINDOWS\Temp\CS1294988C-E6A8-4CF9-ACF1-6A2CDF347313.tmp
8/20/2005 9:49:08 PM H 120 C:\WINDOWS\Temp\CS148ECEFF-B530-4AF7-B3CF-A1099E5C2D94.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS170AB0A7-A77F-485F-8492-FBDE0D74F66A.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS199C975A-8ECB-43AB-9696-B33B09744A5D.tmp
8/20/2005 9:48:52 PM H 0 C:\WINDOWS\Temp\CS1BEC1167-43AD-4F84-80CE-96C642489847.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS1F377457-AC25-4639-AEFE-9C0F1AD30ED1.tmp
8/20/2005 9:49:08 PM H 14 C:\WINDOWS\Temp\CS225D4B55-3E6F-4FEF-8BC1-86721C46C7E5.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS245A950E-2C39-4352-8ED0-AF43B930D1F1.tmp
8/20/2005 9:48:52 PM H 2163462 C:\WINDOWS\Temp\CS2711B877-BB11-4CF7-8CA5-16EB067B7CE1.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS281E59EA-F6F3-46F3-854E-26B1FBFB2A59.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS2D93852A-954E-42E7-9E7B-DCCB21AE5063.tmp
8/20/2005 9:48:52 PM H 0 C:\WINDOWS\Temp\CS32C41446-3BE4-437D-91D3-9539353F8224.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS33326859-5BF6-4922-9507-D44DAD19C733.tmp
8/20/2005 9:49:08 PM H 118 C:\WINDOWS\Temp\CS36A54770-6D23-401E-98AA-AD8F54E3A2F5.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS36E6DCA9-703D-4E27-B288-F386DB89D92E.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS3A1464A7-3536-4F0C-9EFC-B38449B02CC9.tmp
8/20/2005 9:49:08 PM H 136 C:\WINDOWS\Temp\CS3CAF14A4-A6F6-4678-98B3-28A821D559DF.tmp
8/20/2005 9:48:52 PM H 128 C:\WINDOWS\Temp\CS42E0B394-BD77-4B83-B702-497E6BC6B7B2.tmp
8/20/2005 9:49:08 PM H 48 C:\WINDOWS\Temp\CS48108546-74D9-4BB5-88F7-8EA7396C787A.tmp
8/20/2005 9:48:52 PM H 6128 C:\WINDOWS\Temp\CS4882CC00-A4CB-4C47-8BE4-765178365296.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS49ECC48B-AF1D-4449-AEEC-26BD254AF407.tmp
8/20/2005 9:49:08 PM H 100 C:\WINDOWS\Temp\CS4CFF6B96-3BCC-4063-A74C-12E52A087967.tmp
8/20/2005 9:48:52 PM H 0 C:\WINDOWS\Temp\CS547D6FA7-B91A-4477-8FEA-96CA94D797B9.tmp
8/20/2005 9:49:08 PM H 68 C:\WINDOWS\Temp\CS571BB776-8C1B-40CC-BE04-F49A6D2625FC.tmp
8/20/2005 9:52:28 PM H 1494 C:\WINDOWS\Temp\CS57A49591-6CE0-42B8-B129-AA4EDE157F9D.tmp
8/20/2005 9:49:08 PM H 100 C:\WINDOWS\Temp\CS5B2AA9ED-9A26-4474-B229-2F6964516353.tmp
8/20/2005 9:48:52 PM H 23352 C:\WINDOWS\Temp\CS5BB7335D-1F24-41FF-99A6-2C64B68EDCCC.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS606ABBC7-BBCA-445A-9168-B417A9AB572A.tmp
8/20/2005 9:48:52 PM H 30 C:\WINDOWS\Temp\CS60E93E75-3D5F-42E1-8B14-BA48310D225B.tmp
8/20/2005 9:52:28 PM H 414830 C:\WINDOWS\Temp\CS617D06F2-F342-4E43-A546-79E3590D4B14.tmp
8/20/2005 9:48:52 PM H 0 C:\WINDOWS\Temp\CS633B13D1-7867-402F-BFC9-5B832405F8F7.tmp
8/20/2005 9:49:08 PM H 410 C:\WINDOWS\Temp\CS67C54E5D-A86D-4C43-9281-D00AF416892A.tmp
8/20/2005 9:49:08 PM H 410 C:\WINDOWS\Temp\CS695E65FF-4F4A-4404-BDBD-39F9A087662F.tmp
8/20/2005 9:49:08 PM H 502 C:\WINDOWS\Temp\CS6E777458-170A-46BC-856A-85759C171801.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS71B3F022-F3D1-48CC-A885-5A6976F02C4F.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS72E97457-E376-45ED-A5BF-6932B9854365.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS74E88E16-8B73-4B70-A3F4-0B16F297F85B.tmp
8/20/2005 9:49:08 PM H 42 C:\WINDOWS\Temp\CS766AAD2D-9499-427C-9A9B-27D847A96712.tmp
8/20/2005 9:49:08 PM H 120 C:\WINDOWS\Temp\CS766FA51E-8FEE-4968-B73D-C092351E7D8D.tmp
8/20/2005 9:52:28 PM H 626 C:\WINDOWS\Temp\CS7876CDF7-4E35-413F-9530-86F9F7928B1E.tmp
8/20/2005 9:48:52 PM H 0 C:\WINDOWS\Temp\CS7B53CBEA-1D5F-4D18-ADF9-2D4AFAB32343.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS7C00DF43-F606-4A85-B51B-FBA4C9CD802E.tmp
8/20/2005 9:52:28 PM H 1368000 C:\WINDOWS\Temp\CS7C424362-7E68-467D-B04B-F0778E63D653.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS7C6B2E0A-CC69-49EF-A2A5-14369AED6C1C.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS7CE78C80-9D14-425D-821B-FE3B2FF24080.tmp
8/20/2005 9:48:52 PM H 68241 C:\WINDOWS\Temp\CS8285859E-E736-4705-86C3-B7CB4A55C9B1.tmp
8/20/2005 9:48:52 PM H 5464 C:\WINDOWS\Temp\CS8C410D13-F0FE-444F-99F4-6B32B3B12FD8.tmp
8/20/2005 9:48:52 PM H 39720 C:\WINDOWS\Temp\CS8E36BFB4-9202-45FF-AC63-E0892A4BEBCC.tmp
8/20/2005 9:48:52 PM H 1059112 C:\WINDOWS\Temp\CS917ECC70-DA23-42A2-A4CE-7F9D0C837AAC.tmp
8/20/2005 9:48:52 PM H 1455886 C:\WINDOWS\Temp\CS92671FBC-BB32-4273-8C97-B64166D43B6A.tmp
8/20/2005 9:49:08 PM H 50 C:\WINDOWS\Temp\CS93502316-8E1B-4341-845E-ED0D824FD9B7.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CS9BDA8460-D0E4-4F97-911F-7A098AB564A7.tmp
8/20/2005 9:49:08 PM H 48 C:\WINDOWS\Temp\CS9CE691E7-2F7C-4B03-A5FA-D671E803D8E5.tmp
8/20/2005 9:48:52 PM H 547202 C:\WINDOWS\Temp\CS9FEA72FA-182C-434B-B59F-FCF32DC9ED40.tmp
8/20/2005 9:48:52 PM H 38178 C:\WINDOWS\Temp\CSA1F8C3CC-AD08-4F2B-ADC8-22BCE9C15274.tmp
8/20/2005 9:49:08 PM H 30 C:\WINDOWS\Temp\CSAAB89613-A09D-4D6B-9ABB-6188C8AFCD45.tmp
8/20/2005 9:52:28 PM H 80652 C:\WINDOWS\Temp\CSAC2BB1B8-B73E-4482-AFBD-A18842862258.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSACAD2BFA-3CA3-4E5F-BCA5-D57C6CE8CFC1.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSACE18B06-4371-4D33-B876-8807CFFD3A2A.tmp
8/20/2005 9:48:52 PM H 3366 C:\WINDOWS\Temp\CSB1580AC5-321D-471F-8D7E-815F6147DBEE.tmp
8/20/2005 9:48:52 PM H 306 C:\WINDOWS\Temp\CSB4A41D26-B6F3-4755-A537-FD01F9905CC5.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSB6E26C71-A116-4BA5-B576-5CE189F242C8.tmp
8/20/2005 9:48:52 PM H 204 C:\WINDOWS\Temp\CSB918D257-1C3F-4732-B0B0-2B2D5B878C8D.tmp
8/20/2005 9:48:52 PM H 102268 C:\WINDOWS\Temp\CSBA0DD49F-FA07-4DFD-89D4-D4F8776E266B.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSBB464757-A7B0-492A-BD36-2BD47457BFA2.tmp
8/20/2005 9:49:08 PM H 434 C:\WINDOWS\Temp\CSBC451E0C-C08C-4473-A842-DB1D59BC415F.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSBEAF1E93-04AD-44C4-BC8E-57CC85A868D3.tmp
8/20/2005 9:48:52 PM H 32 C:\WINDOWS\Temp\CSBFB5C291-B80A-4858-A84C-A4C722ADAF70.tmp
8/20/2005 9:48:52 PM H 1272804 C:\WINDOWS\Temp\CSC14BD10C-5E57-4ABE-9D25-30E08FF3E7CC.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSC60CA65E-93FB-44C6-BB3D-C5E270D9AABA.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSC6B0B63A-F4A1-495B-B7B9-E5D647662C5A.tmp
8/20/2005 9:49:08 PM H 96 C:\WINDOWS\Temp\CSC7A430F9-2A80-4E90-9223-5C1666B6FF42.tmp
8/20/2005 9:49:08 PM H 450 C:\WINDOWS\Temp\CSC8B25781-D3C0-4359-A91A-CF91ECAABB5F.tmp
8/20/2005 9:52:28 PM H 706 C:\WINDOWS\Temp\CSC9D7869D-E804-4972-BF9C-D657931345EC.tmp
8/20/2005 9:49:08 PM H 196 C:\WINDOWS\Temp\CSCBFA27BF-8C32-4356-AE00-F09AF9791C2C.tmp
8/20/2005 9:49:08 PM H 124 C:\WINDOWS\Temp\CSD7C44097-B504-4922-8B67-0E1A114CD0D8.tmp
8/20/2005 9:52:28 PM H 622 C:\WINDOWS\Temp\CSD7EC9374-1E46-4FBD-B879-34E320C7906D.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSD81B23F0-78F6-4BB2-8023-67745151CE98.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSDC5E23B9-2DC1-495A-86AA-6A2464D288DD.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSDD872F50-F25A-4918-9DFE-007EEC72CABF.tmp
8/20/2005 9:48:52 PM H 904636 C:\WINDOWS\Temp\CSE0861A9E-27B4-4797-8CB3-4A48CC8CD8AF.tmp
8/20/2005 9:49:08 PM H 30 C:\WINDOWS\Temp\CSE0FAA4BF-518C-494F-99E2-1987C4E1233D.tmp
8/20/2005 9:52:28 PM H 592 C:\WINDOWS\Temp\CSE63138D5-3E00-495A-AF42-79F7BA9B2994.tmp
8/20/2005 9:49:08 PM H 114 C:\WINDOWS\Temp\CSEB254307-6091-4974-AB05-26FD5C82D4BD.tmp
8/20/2005 9:49:08 PM H 100 C:\WINDOWS\Temp\CSEB8F3067-92C8-464B-9804-1CD555A7FAD4.tmp
8/20/2005 9:49:08 PM H 42 C:\WINDOWS\Temp\CSEC644B47-A8C4-4B7C-8F7F-79B2CCAE5EB6.tmp
8/20/2005 9:49:08 PM H 102 C:\WINDOWS\Temp\CSEDAEB835-4F99-4E11-8B3C-F9079978882B.tmp
8/20/2005 9:48:52 PM H 0 C:\WINDOWS\Temp\CSF0639036-C23B-429C-9F75-4EC1916C2CB6.tmp
8/20/2005 9:49:08 PM H 10 C:\WINDOWS\Temp\CSF4CA7A5E-721A-42AE-8047-109C67B3002D.tmp
8/20/2005 9:48:52 PM H 240 C:\WINDOWS\Temp\CSF59F70B1-7385-4C88-BACE-C0B4A8698331.tmp
8/20/2005 9:52:28 PM H 652 C:\WINDOWS\Temp\CSF955EA27-9128-4C4E-9752-6E603F2F900A.tmp
8/20/2005 9:52:28 PM H 822 C:\WINDOWS\Temp\CSFA666D4E-FA29-43DE-97DE-A0C10CB33AE8.tmp
8/20/2005 9:49:08 PM H 104 C:\WINDOWS\Temp\CSFB393D61-DBE1-46F5-9611-DE82184B868B.tmp
8/20/2005 9:49:08 PM H 426 C:\WINDOWS\Temp\CSFC132CBF-36FA-4D66-AE4E-55897281B564.tmp
8/20/2005 9:49:08 PM H 518 C:\WINDOWS\Temp\CSFEA7E335-3A20-4A19-AF77-1971AEE30C27.tmp
8/20/2005 9:52:28 PM H 746 C:\WINDOWS\Temp\CSFFEC542A-F0AB-4C5C-A442-2265AD08C1FB.tmp

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 4/6/2005 6:58:48 PM 294912 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 5/12/2004 2:26:58 AM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Realtek Semiconductor Corp. 3/17/2005 11:43:34 AM 262144 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 4/20/2004 7:45:12 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 5/4/2004 2:05:08 PM 309760 C:\WINDOWS\SYSTEM32\ReinstallBackups\0019\DriverFiles\ALSNDMGR.CPL
Intel Corporation 4/20/2004 7:45:12 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0020\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/12/2004 1:25:40 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/22/2005 6:09:16 PM 91648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dkcc.exe
8/20/2005 2:27:58 PM 798 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/11/2004 6:20:28 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
5/12/2004 4:47:04 AM 1221 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
5/12/2004 1:25:40 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/11/2004 6:20:28 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
acc=marketingsector =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{D7B550E3-6C2F-4A44-89A4-7E0DF8AFA021} = C:\WINDOWS\system32\nymarta.dll
{B82E4360-8D09-4059-BB1C-EBD6FA7CBA20} = C:\WINDOWS\system32\scssetup.dll
{370A3778-154C-4248-9750-27F7CDB7C027} =
{5D9E0E53-80CA-4541-85CA-0CC0D6D94107} = C:\WINDOWS\system32\okecnv32.dll
{55DCE8ED-52C1-45F4-B643-BB60162ADA00} = C:\WINDOWS\system32\khdit142.dll
{7EC8EC39-D42B-4732-B75D-2D9DD6C55C11} = C:\WINDOWS\system32\cgyptdlg.dll
{BEF8D5D1-AF21-4A88-A65F-0CB89CA3A507} = C:\WINDOWS\system32\ksdic.dll
{6CF4B522-CAF5-43CD-B51E-FBF341A951E2} = C:\WINDOWS\system32\rfvpsp.dll
{A77A1C52-B3E0-4F61-9A1D-332718B0627E} = C:\WINDOWS\system32\ivclass.dll
{EA1988B9-E0A2-425F-9931-334D42F4FBAD} = C:\WINDOWS\system32\hzvaut32.dll
{42DCBA55-4096-483E-BCB5-62747C0B436C} = C:\WINDOWS\system32\sdreamci.dll
{F1AF25CC-1B93-4806-A076-361FA9701F82} = C:\WINDOWS\system32\lycdll.dll
{47AE0A33-F176-4EAD-A1AC-613E64E8F92F} = C:\WINDOWS\system32\ocbccu32.dll
{05D9AC8A-DB46-4DD4-BF71-0BC9690E95E0} = C:\WINDOWS\system32\mqcans32.dll
{9AD8E0B8-AD23-4BB3-83AB-A865FF03C2D0} = C:\WINDOWS\system32\mxcbase.dll
{14FC9918-5133-48F9-A0B3-55D0D5DA989C} = C:\WINDOWS\system32\ubiplat.dll
{CEBC3E04-5F1C-457B-ADB1-A10AEF803076} = C:\WINDOWS\system32\cVbview.dll
{0B40F6D4-88C2-4E95-8AC4-2F93993FA524} = C:\WINDOWS\system32\stncui.dll
{10ED04FD-DC2E-44AB-ABE0-BB8B4E35FBDF} = C:\WINDOWS\system32\com.dll
{6245B736-D5FD-4CB9-B9D9-48BEE0260F6C} = C:\WINDOWS\system32\rXsctrs.dll
{1553DA6A-FAC3-4F80-8FBD-363CDDB01178} = C:\WINDOWS\system32\hkreg.dll
{DC8A0D29-8EBB-4865-B409-F5AB5D181A8F} = C:\WINDOWS\system32\nfh21.dll
{FE9EB2CF-A985-49B5-B9FC-1C97624A9070} = C:\WINDOWS\system32\sCmlib.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gnkknsgn
{62bdb2c0-18ac-41ce-ac9b-18a2dea2f4b3} = C:\WINDOWS\system32\dnkkn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\system32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KBD C:\HP\KBD\KBD.EXE
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
trdh C:\WINDOWS\system32\trdh.exe
rlxscpf C:\WINDOWS\system32\rlxscpf.exe
ysmzypg C:\WINDOWS\system32\ysmzypg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ddecde C:\WINDOWS\system32\ddecde.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/22/2005 6:43:25 PM
  • 0

#15
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gnkknsgn]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"qukiivau.exe"=-
"trdh"=-
"rlxscpf"=-
"ysmzypg"=-


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dkcc.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\dkcc.exe
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\djddjfd.dll
C:\WINDOWS\SYSTEM32\dnkkn.dll
C:\WINDOWS\SYSTEM32\WinStat13.dll
C:\WINDOWS\system32\trdh.exe
C:\WINDOWS\system32\rlxscpf.exe
C:\WINDOWS\system32\ysmzypg.exe


As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgddgx.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP