Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

coolwwwsearch.homesearch [RESOLVED]


  • This topic is locked This topic is locked

#16
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Remote Procedure Call (RPC) Helper

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: 11F#`I
    It is IMPORTANT that there is a space in front of the FIRST number 1 or it WON'T work!
  • Click "ok", then reboot

After the reboot, locate the following file and delete if present:

C:\WINDOWS\system32\netqd32.exe

Empty recycle bin. Then post a fresh HiJackThis log.

If you can't find it, please post a fresh HiJackThis log anyways but don't reboot after that unless I ask you to. :tazz:
  • 0

Advertisements


#17
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I found it all ok this time the only problem i had was when i reopened ie. i got an add-on error on 13 .dll file:
netvx32, nethx, crid, addre32, d3uo, adddb32, iejn32, d3wq32, d3sf, addpm32, netto32, crgu, and addbr32. i just disabled all the files it brought up until it would let me in. by the way, thanks for helping fix my computer. i really appreciate it. :tazz:



Logfile of HijackThis v1.99.1
Scan saved at 7:07:55 AM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\d3uo.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\iedz.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\intell32.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {041AC22B-52A7-3508-2D9E-69DB4FB03651} - C:\WINDOWS\system32\addfk32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0E13A01E-1244-8F85-35F0-1F802FC7683C} - C:\WINDOWS\d3sf.dll
O2 - BHO: Class - {1321EF49-6B5C-04F9-66D4-F25BB941C72B} - C:\WINDOWS\addpm32.dll
O2 - BHO: Class - {13B8F199-A963-2933-DD22-E4C591B9A819} - C:\WINDOWS\system32\netto32.dll
O2 - BHO: Class - {21C736D6-ECF0-94E4-C3D0-C98996603706} - C:\WINDOWS\crgu.dll
O2 - BHO: Class - {32FD5A16-7B87-D254-57E3-C8A486AA74D6} - C:\WINDOWS\addbr32.dll
O2 - BHO: Class - {77E07B4E-9CE6-E087-9155-EC37594EE654} - C:\WINDOWS\system32\ipai.dll
O2 - BHO: Class - {77E70C49-A6C0-E0DF-2FB1-6550B26C41D0} - C:\WINDOWS\d3uo.dll
O2 - BHO: Class - {A16CC660-152B-F183-766B-5D9B5621E906} - C:\WINDOWS\system32\adddb32.dll
O2 - BHO: Class - {ABD4A3BE-1A5E-AADC-4BF7-9DA2EB322905} - C:\WINDOWS\iejn32.dll
O2 - BHO: Class - {B1EA2010-07E4-3D19-B07F-C5DA991481C8} - C:\WINDOWS\system32\d3wq32.dll
O2 - BHO: Class - {B249DC94-2E17-7065-F181-A8A240375B89} - C:\WINDOWS\system32\netvx32.dll
O2 - BHO: Class - {D77A96D0-9D84-A958-041B-5181C69B77CF} - C:\WINDOWS\netxh.dll
O2 - BHO: Class - {D8DD2012-1BEC-74D3-2065-8D04FFA52092} - C:\WINDOWS\ipcs.dll
O2 - BHO: Class - {E5EBC176-FBD7-D920-DBD4-7A0D51DBD571} - C:\WINDOWS\system32\crid.dll
O2 - BHO: Class - {FCB51F0E-2C0D-0B31-D324-1F2349F7433A} - C:\WINDOWS\addre32.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [mfcpv.exe] C:\WINDOWS\mfcpv.exe
O4 - HKLM\..\Run: [d3np32.exe] C:\WINDOWS\system32\d3np32.exe
O4 - HKLM\..\Run: [sdktu.exe] C:\WINDOWS\sdktu.exe
O4 - HKLM\..\Run: [appew.exe] C:\WINDOWS\appew.exe
O4 - HKLM\..\Run: [iehb32.exe] C:\WINDOWS\system32\iehb32.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [appns.exe] C:\WINDOWS\appns.exe
O4 - HKLM\..\Run: [mswm.exe] C:\WINDOWS\system32\mswm.exe
O4 - HKLM\..\Run: [netny.exe] C:\WINDOWS\netny.exe
O4 - HKLM\..\Run: [d3ps.exe] C:\WINDOWS\d3ps.exe
O4 - HKLM\..\Run: [d3uo.exe] C:\WINDOWS\d3uo.exe
O4 - HKLM\..\RunOnce: [crib32.exe] C:\WINDOWS\crib32.exe
O4 - HKLM\..\RunOnce: [ipcg32.exe] C:\WINDOWS\system32\ipcg32.exe
O4 - HKLM\..\RunOnce: [msao32.exe] C:\WINDOWS\msao32.exe
O4 - HKLM\..\RunOnce: [appev.exe] C:\WINDOWS\system32\appev.exe
O4 - HKLM\..\RunOnce: [apimp32.exe] C:\WINDOWS\system32\apimp32.exe
O4 - HKLM\..\RunOnce: [sysdt32.exe] C:\WINDOWS\system32\sysdt32.exe
O4 - HKLM\..\RunOnce: [ielm.exe] C:\WINDOWS\system32\ielm.exe
O4 - HKLM\..\RunOnce: [wingk32.exe] C:\WINDOWS\system32\wingk32.exe
O4 - HKLM\..\RunOnce: [crxz.exe] C:\WINDOWS\crxz.exe
O4 - HKLM\..\RunOnce: [d3ky.exe] C:\WINDOWS\d3ky.exe
O4 - HKLM\..\RunOnce: [winzk.exe] C:\WINDOWS\system32\winzk.exe
O4 - HKLM\..\RunOnce: [iecy32.exe] C:\WINDOWS\iecy32.exe
O4 - HKLM\..\RunOnce: [netqd32.exe] C:\WINDOWS\system32\netqd32.exe
O4 - HKLM\..\RunOnce: [d3pb.exe] C:\WINDOWS\system32\d3pb.exe
O4 - HKLM\..\RunOnce: [crxw32.exe] C:\WINDOWS\system32\crxw32.exe
O4 - HKLM\..\RunOnce: [mfcmu32.exe] C:\WINDOWS\system32\mfcmu32.exe
O4 - HKLM\..\RunOnce: [ielc.exe] C:\WINDOWS\system32\ielc.exe
O4 - HKLM\..\RunOnce: [crdt.exe] C:\WINDOWS\crdt.exe
O4 - HKLM\..\RunOnce: [netin32.exe] C:\WINDOWS\netin32.exe
O4 - HKLM\..\RunOnce: [sdksi.exe] C:\WINDOWS\sdksi.exe
O4 - HKLM\..\RunOnce: [mfcna32.exe] C:\WINDOWS\system32\mfcna32.exe
O4 - HKLM\..\RunOnce: [d3fk.exe] C:\WINDOWS\system32\d3fk.exe
O4 - HKLM\..\RunOnce: [netle.exe] C:\WINDOWS\netle.exe
O4 - HKLM\..\RunOnce: [sysfn.exe] C:\WINDOWS\system32\sysfn.exe
O4 - HKLM\..\RunOnce: [javavf.exe] C:\WINDOWS\system32\javavf.exe
O4 - HKLM\..\RunOnce: [mfcuf32.exe] C:\WINDOWS\system32\mfcuf32.exe
O4 - HKLM\..\RunOnce: [iezh.exe] C:\WINDOWS\iezh.exe
O4 - HKLM\..\RunOnce: [appdl32.exe] C:\WINDOWS\appdl32.exe
O4 - HKLM\..\RunOnce: [msjf.exe] C:\WINDOWS\system32\msjf.exe
O4 - HKLM\..\RunOnce: [mscb.exe] C:\WINDOWS\mscb.exe
O4 - HKLM\..\RunOnce: [javanz.exe] C:\WINDOWS\javanz.exe
O4 - HKLM\..\RunOnce: [sdkvz32.exe] C:\WINDOWS\sdkvz32.exe
O4 - HKLM\..\RunOnce: [mfcbb.exe] C:\WINDOWS\system32\mfcbb.exe
O4 - HKLM\..\RunOnce: [sdkqr32.exe] C:\WINDOWS\sdkqr32.exe
O4 - HKLM\..\RunOnce: [mfcvl.exe] C:\WINDOWS\mfcvl.exe
O4 - HKLM\..\RunOnce: [sysok32.exe] C:\WINDOWS\system32\sysok32.exe
O4 - HKLM\..\RunOnce: [iepm.exe] C:\WINDOWS\iepm.exe
O4 - HKLM\..\RunOnce: [mseh32.exe] C:\WINDOWS\system32\mseh32.exe
O4 - HKLM\..\RunOnce: [ntrb.exe] C:\WINDOWS\system32\ntrb.exe
O4 - HKLM\..\RunOnce: [netlh.exe] C:\WINDOWS\netlh.exe
O4 - HKLM\..\RunOnce: [mfcbc.exe] C:\WINDOWS\mfcbc.exe
O4 - HKLM\..\RunOnce: [ieaj32.exe] C:\WINDOWS\ieaj32.exe
O4 - HKLM\..\RunOnce: [sdksv32.exe] C:\WINDOWS\system32\sdksv32.exe
O4 - HKLM\..\RunOnce: [atlqw32.exe] C:\WINDOWS\system32\atlqw32.exe
O4 - HKLM\..\RunOnce: [iedz.exe] C:\WINDOWS\iedz.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c282.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...5e012/enter.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\crib32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#18
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Wow, it's still there :)

Did you do it completely last time??

Let's do a LONG fix..

Download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6 and always go online and update it before you run it).

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

2. Set up the Configurations as follows:
  • Click the Gear wheel at the top of the Ad-Aware window
  • Click General > Safety & Settings: Check (Green) all three.
  • Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click on "Proceed"

Exit Ad-aware, we'll run it later on.

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Now do this..

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Network Security Service

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: 11F#`I
    It is IMPORTANT that there is a space in front of the FIRST number 1 or it WON'T work!
  • Click "ok", then reboot

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


===================================================
Run a scan with HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nxnpp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {041AC22B-52A7-3508-2D9E-69DB4FB03651} - C:\WINDOWS\system32\addfk32.dll
O2 - BHO: Class - {0E13A01E-1244-8F85-35F0-1F802FC7683C} - C:\WINDOWS\d3sf.dll
O2 - BHO: Class - {1321EF49-6B5C-04F9-66D4-F25BB941C72B} - C:\WINDOWS\addpm32.dll
O2 - BHO: Class - {13B8F199-A963-2933-DD22-E4C591B9A819} - C:\WINDOWS\system32\netto32.dll
O2 - BHO: Class - {21C736D6-ECF0-94E4-C3D0-C98996603706} - C:\WINDOWS\crgu.dll
O2 - BHO: Class - {32FD5A16-7B87-D254-57E3-C8A486AA74D6} - C:\WINDOWS\addbr32.dll
O2 - BHO: Class - {77E07B4E-9CE6-E087-9155-EC37594EE654} - C:\WINDOWS\system32\ipai.dll
O2 - BHO: Class - {77E70C49-A6C0-E0DF-2FB1-6550B26C41D0} - C:\WINDOWS\d3uo.dll
O2 - BHO: Class - {A16CC660-152B-F183-766B-5D9B5621E906} - C:\WINDOWS\system32\adddb32.dll
O2 - BHO: Class - {ABD4A3BE-1A5E-AADC-4BF7-9DA2EB322905} - C:\WINDOWS\iejn32.dll
O2 - BHO: Class - {B1EA2010-07E4-3D19-B07F-C5DA991481C8} - C:\WINDOWS\system32\d3wq32.dll
O2 - BHO: Class - {B249DC94-2E17-7065-F181-A8A240375B89} - C:\WINDOWS\system32\netvx32.dll
O2 - BHO: Class - {D77A96D0-9D84-A958-041B-5181C69B77CF} - C:\WINDOWS\netxh.dll
O2 - BHO: Class - {D8DD2012-1BEC-74D3-2065-8D04FFA52092} - C:\WINDOWS\ipcs.dll
O2 - BHO: Class - {E5EBC176-FBD7-D920-DBD4-7A0D51DBD571} - C:\WINDOWS\system32\crid.dll
O2 - BHO: Class - {FCB51F0E-2C0D-0B31-D324-1F2349F7433A} - C:\WINDOWS\addre32.dll
O4 - HKLM\..\Run: [mfcpv.exe] C:\WINDOWS\mfcpv.exe
O4 - HKLM\..\Run: [d3np32.exe] C:\WINDOWS\system32\d3np32.exe
O4 - HKLM\..\Run: [sdktu.exe] C:\WINDOWS\sdktu.exe
O4 - HKLM\..\Run: [appew.exe] C:\WINDOWS\appew.exe
O4 - HKLM\..\Run: [iehb32.exe] C:\WINDOWS\system32\iehb32.exe
O4 - HKLM\..\Run: [appns.exe] C:\WINDOWS\appns.exe
O4 - HKLM\..\Run: [mswm.exe] C:\WINDOWS\system32\mswm.exe
O4 - HKLM\..\Run: [netny.exe] C:\WINDOWS\netny.exe
O4 - HKLM\..\Run: [d3ps.exe] C:\WINDOWS\d3ps.exe
O4 - HKLM\..\Run: [d3uo.exe] C:\WINDOWS\d3uo.exe
O4 - HKLM\..\RunOnce: [crib32.exe] C:\WINDOWS\crib32.exe
O4 - HKLM\..\RunOnce: [ipcg32.exe] C:\WINDOWS\system32\ipcg32.exe
O4 - HKLM\..\RunOnce: [msao32.exe] C:\WINDOWS\msao32.exe
O4 - HKLM\..\RunOnce: [appev.exe] C:\WINDOWS\system32\appev.exe
O4 - HKLM\..\RunOnce: [apimp32.exe] C:\WINDOWS\system32\apimp32.exe
O4 - HKLM\..\RunOnce: [sysdt32.exe] C:\WINDOWS\system32\sysdt32.exe
O4 - HKLM\..\RunOnce: [ielm.exe] C:\WINDOWS\system32\ielm.exe
O4 - HKLM\..\RunOnce: [wingk32.exe] C:\WINDOWS\system32\wingk32.exe
O4 - HKLM\..\RunOnce: [crxz.exe] C:\WINDOWS\crxz.exe
O4 - HKLM\..\RunOnce: [d3ky.exe] C:\WINDOWS\d3ky.exe
O4 - HKLM\..\RunOnce: [winzk.exe] C:\WINDOWS\system32\winzk.exe
O4 - HKLM\..\RunOnce: [iecy32.exe] C:\WINDOWS\iecy32.exe
O4 - HKLM\..\RunOnce: [netqd32.exe] C:\WINDOWS\system32\netqd32.exe
O4 - HKLM\..\RunOnce: [d3pb.exe] C:\WINDOWS\system32\d3pb.exe
O4 - HKLM\..\RunOnce: [crxw32.exe] C:\WINDOWS\system32\crxw32.exe
O4 - HKLM\..\RunOnce: [mfcmu32.exe] C:\WINDOWS\system32\mfcmu32.exe
O4 - HKLM\..\RunOnce: [ielc.exe] C:\WINDOWS\system32\ielc.exe
O4 - HKLM\..\RunOnce: [crdt.exe] C:\WINDOWS\crdt.exe
O4 - HKLM\..\RunOnce: [netin32.exe] C:\WINDOWS\netin32.exe
O4 - HKLM\..\RunOnce: [sdksi.exe] C:\WINDOWS\sdksi.exe
O4 - HKLM\..\RunOnce: [mfcna32.exe] C:\WINDOWS\system32\mfcna32.exe
O4 - HKLM\..\RunOnce: [d3fk.exe] C:\WINDOWS\system32\d3fk.exe
O4 - HKLM\..\RunOnce: [netle.exe] C:\WINDOWS\netle.exe
O4 - HKLM\..\RunOnce: [sysfn.exe] C:\WINDOWS\system32\sysfn.exe
O4 - HKLM\..\RunOnce: [javavf.exe] C:\WINDOWS\system32\javavf.exe
O4 - HKLM\..\RunOnce: [mfcuf32.exe] C:\WINDOWS\system32\mfcuf32.exe
O4 - HKLM\..\RunOnce: [iezh.exe] C:\WINDOWS\iezh.exe
O4 - HKLM\..\RunOnce: [appdl32.exe] C:\WINDOWS\appdl32.exe
O4 - HKLM\..\RunOnce: [msjf.exe] C:\WINDOWS\system32\msjf.exe
O4 - HKLM\..\RunOnce: [mscb.exe] C:\WINDOWS\mscb.exe
O4 - HKLM\..\RunOnce: [javanz.exe] C:\WINDOWS\javanz.exe
O4 - HKLM\..\RunOnce: [sdkvz32.exe] C:\WINDOWS\sdkvz32.exe
O4 - HKLM\..\RunOnce: [mfcbb.exe] C:\WINDOWS\system32\mfcbb.exe
O4 - HKLM\..\RunOnce: [sdkqr32.exe] C:\WINDOWS\sdkqr32.exe
O4 - HKLM\..\RunOnce: [mfcvl.exe] C:\WINDOWS\mfcvl.exe
O4 - HKLM\..\RunOnce: [sysok32.exe] C:\WINDOWS\system32\sysok32.exe
O4 - HKLM\..\RunOnce: [iepm.exe] C:\WINDOWS\iepm.exe
O4 - HKLM\..\RunOnce: [mseh32.exe] C:\WINDOWS\system32\mseh32.exe
O4 - HKLM\..\RunOnce: [ntrb.exe] C:\WINDOWS\system32\ntrb.exe
O4 - HKLM\..\RunOnce: [netlh.exe] C:\WINDOWS\netlh.exe
O4 - HKLM\..\RunOnce: [mfcbc.exe] C:\WINDOWS\mfcbc.exe
O4 - HKLM\..\RunOnce: [ieaj32.exe] C:\WINDOWS\ieaj32.exe
O4 - HKLM\..\RunOnce: [sdksv32.exe] C:\WINDOWS\system32\sdksv32.exe
O4 - HKLM\..\RunOnce: [atlqw32.exe] C:\WINDOWS\system32\atlqw32.exe
O4 - HKLM\..\RunOnce: [iedz.exe] C:\WINDOWS\iedz.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\crib32.exe" /s (file missing)


Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Launch Ad-aware..

4. Click on "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to every "target family" for removal.
11. Click "Next", Click "OK".
12. Exit Ad-aware.

Enable show hidden files and folders:

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Using Windows Explorer, locate the following files and delete if present:


C:\WINDOWS\system32\addfk32.dll
C:\WINDOWS\d3sf.dll
C:\WINDOWS\addpm32.dll
C:\WINDOWS\system32\netto32.dll
C:\WINDOWS\crgu.dll
C:\WINDOWS\addbr32.dll
C:\WINDOWS\system32\ipai.dll
C:\WINDOWS\d3uo.dll
C:\WINDOWS\system32\adddb32.dll
C:\WINDOWS\iejn32.dll
C:\WINDOWS\system32\d3wq32.dll
C:\WINDOWS\system32\netvx32.dll
C:\WINDOWS\netxh.dll
C:\WINDOWS\ipcs.dll
C:\WINDOWS\system32\crid.dll
C:\WINDOWS\addre32.dll
C:\WINDOWS\mfcpv.exe
C:\WINDOWS\system32\d3np32.exe
C:\WINDOWS\sdktu.exe
C:\WINDOWS\appew.exe
C:\WINDOWS\system32\iehb32.exe
C:\WINDOWS\appns.exe
C:\WINDOWS\system32\mswm.exe
C:\WINDOWS\netny.exe
C:\WINDOWS\d3ps.exe
C:\WINDOWS\d3uo.exe
C:\WINDOWS\crib32.exe
C:\WINDOWS\system32\ipcg32.exe
C:\WINDOWS\msao32.exe
C:\WINDOWS\system32\appev.exe
C:\WINDOWS\system32\apimp32.exe
C:\WINDOWS\system32\sysdt32.exe
C:\WINDOWS\system32\ielm.exe
C:\WINDOWS\system32\wingk32.exe
C:\WINDOWS\crxz.exe
C:\WINDOWS\d3ky.exe
C:\WINDOWS\system32\winzk.exe
C:\WINDOWS\iecy32.exe
C:\WINDOWS\system32\netqd32.exe
C:\WINDOWS\system32\d3pb.exe
C:\WINDOWS\system32\crxw32.exe
C:\WINDOWS\system32\mfcmu32.exe
C:\WINDOWS\system32\ielc.exe
C:\WINDOWS\crdt.exe
C:\WINDOWS\netin32.exe
C:\WINDOWS\sdksi.exe
C:\WINDOWS\system32\mfcna32.exe
C:\WINDOWS\system32\d3fk.exe
C:\WINDOWS\netle.exe
C:\WINDOWS\system32\sysfn.exe
C:\WINDOWS\system32\javavf.exe
C:\WINDOWS\system32\mfcuf32.exe
C:\WINDOWS\iezh.exe
C:\WINDOWS\appdl32.exe
C:\WINDOWS\system32\msjf.exe
C:\WINDOWS\mscb.exe
C:\WINDOWS\javanz.exe
C:\WINDOWS\sdkvz32.exe
C:\WINDOWS\system32\mfcbb.exe
C:\WINDOWS\sdkqr32.exe
C:\WINDOWS\mfcvl.exe
C:\WINDOWS\system32\sysok32.exe
C:\WINDOWS\iepm.exe
C:\WINDOWS\system32\mseh32.exe
C:\WINDOWS\system32\ntrb.exe
C:\WINDOWS\netlh.exe
C:\WINDOWS\mfcbc.exe
C:\WINDOWS\ieaj32.exe
C:\WINDOWS\system32\sdksv32.exe
C:\WINDOWS\system32\atlqw32.exe
C:\WINDOWS\iedz.exe
C:\WINDOWS\crib32.exe


Once you have deleted them..

Run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally reboot into normal mode and post the Smitfiles.txt here along with a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#19
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
It's not gone yet! I couldn't find the smit file so I ran the program again! I finally searched and found it, so this is a new file. I am still getting pop-ups on ie, and the about:blank homepage. Hopefully we're getting closer. It took forever to find and delete all of those files!!



\
Logfile of HijackThis v1.99.1
Scan saved at 6:04:26 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\ieuz32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gzpqi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3A3A236D-485F-3BD2-2C16-8545899F02A9} - C:\WINDOWS\system32\msed.dll
O2 - BHO: Class - {4D55F1A8-55DA-AA1A-83F6-E4407B24CCE5} - C:\WINDOWS\system32\ipfr.dll
O2 - BHO: Class - {7DB380D6-8BBD-EA17-5115-BCE653B93B08} - C:\WINDOWS\system32\appyb32.dll
O2 - BHO: Class - {F0D9B410-3C4F-707C-2E2D-529E64AA2118} - C:\WINDOWS\atlpf.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [appuy32.exe] C:\WINDOWS\system32\appuy32.exe
O4 - HKLM\..\Run: [iemm32.exe] C:\WINDOWS\iemm32.exe
O4 - HKLM\..\Run: [ieuz32.exe] C:\WINDOWS\ieuz32.exe
O4 - HKLM\..\RunOnce: [addvj.exe] C:\WINDOWS\addvj.exe
O4 - HKLM\..\RunOnce: [appjt.exe] C:\WINDOWS\appjt.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\msrg.exe
O4 - HKLM\..\RunOnce: [addkl.exe] C:\WINDOWS\system32\addkl.exe
O4 - HKLM\..\RunOnce: [atlgl.exe] C:\WINDOWS\system32\atlgl.exe
O4 - HKLM\..\RunOnce: [addmw.exe] C:\WINDOWS\addmw.exe
O4 - HKLM\..\RunOnce: [addxc.exe] C:\WINDOWS\addxc.exe
O4 - HKLM\..\RunOnce: [ntzo32.exe] C:\WINDOWS\ntzo32.exe
O4 - HKLM\..\RunOnce: [msib32.exe] C:\WINDOWS\msib32.exe
O4 - HKLM\..\RunOnce: [javavh32.exe] C:\WINDOWS\javavh32.exe
O4 - HKLM\..\RunOnce: [mfcmg32.exe] C:\WINDOWS\mfcmg32.exe
O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\atlzc32.exe
O4 - HKLM\..\RunOnce: [mssv32.exe] C:\WINDOWS\mssv32.exe
O4 - HKLM\..\RunOnce: [apinm.exe] C:\WINDOWS\apinm.exe
O4 - HKLM\..\RunOnce: [sysgf.exe] C:\WINDOWS\system32\sysgf.exe
O4 - HKLM\..\RunOnce: [sdkzg.exe] C:\WINDOWS\system32\sdkzg.exe
O4 - HKLM\..\RunOnce: [crhf32.exe] C:\WINDOWS\crhf32.exe
O4 - HKLM\..\RunOnce: [atlxf.exe] C:\WINDOWS\atlxf.exe
O4 - HKLM\..\RunOnce: [ieka.exe] C:\WINDOWS\ieka.exe
O4 - HKLM\..\RunOnce: [sdkuv.exe] C:\WINDOWS\system32\sdkuv.exe
O4 - HKLM\..\RunOnce: [atlzx32.exe] C:\WINDOWS\system32\atlzx32.exe
O4 - HKLM\..\RunOnce: [mfcfl.exe] C:\WINDOWS\mfcfl.exe
O4 - HKLM\..\RunOnce: [syskn32.exe] C:\WINDOWS\syskn32.exe
O4 - HKLM\..\RunOnce: [ntyk.exe] C:\WINDOWS\system32\ntyk.exe
O4 - HKLM\..\RunOnce: [appdm32.exe] C:\WINDOWS\appdm32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c282.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...5e012/enter.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addvj.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





smitRem log file
version 2.3

by noahdfear

The current date is: Wed 08/31/2005
The current time is: 18:01:19.03

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :tazz:


Pre-run Files Present


~~~ Program Files ~~~

PSGuard


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

intell32.exe


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

intell32.exe


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)
  • 0

#20
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Much better.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, run HiJackThis with a scan and check the following objects for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gzpqi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3A3A236D-485F-3BD2-2C16-8545899F02A9} - C:\WINDOWS\system32\msed.dll
O2 - BHO: Class - {4D55F1A8-55DA-AA1A-83F6-E4407B24CCE5} - C:\WINDOWS\system32\ipfr.dll
O2 - BHO: Class - {7DB380D6-8BBD-EA17-5115-BCE653B93B08} - C:\WINDOWS\system32\appyb32.dll
O2 - BHO: Class - {F0D9B410-3C4F-707C-2E2D-529E64AA2118} - C:\WINDOWS\atlpf.dll
O4 - HKLM\..\Run: [appuy32.exe] C:\WINDOWS\system32\appuy32.exe
O4 - HKLM\..\Run: [iemm32.exe] C:\WINDOWS\iemm32.exe
O4 - HKLM\..\Run: [ieuz32.exe] C:\WINDOWS\ieuz32.exe
O4 - HKLM\..\RunOnce: [addvj.exe] C:\WINDOWS\addvj.exe
O4 - HKLM\..\RunOnce: [appjt.exe] C:\WINDOWS\appjt.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\msrg.exe
O4 - HKLM\..\RunOnce: [addkl.exe] C:\WINDOWS\system32\addkl.exe
O4 - HKLM\..\RunOnce: [atlgl.exe] C:\WINDOWS\system32\atlgl.exe
O4 - HKLM\..\RunOnce: [addmw.exe] C:\WINDOWS\addmw.exe
O4 - HKLM\..\RunOnce: [addxc.exe] C:\WINDOWS\addxc.exe
O4 - HKLM\..\RunOnce: [ntzo32.exe] C:\WINDOWS\ntzo32.exe
O4 - HKLM\..\RunOnce: [msib32.exe] C:\WINDOWS\msib32.exe
O4 - HKLM\..\RunOnce: [javavh32.exe] C:\WINDOWS\javavh32.exe
O4 - HKLM\..\RunOnce: [mfcmg32.exe] C:\WINDOWS\mfcmg32.exe
O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\atlzc32.exe
O4 - HKLM\..\RunOnce: [mssv32.exe] C:\WINDOWS\mssv32.exe
O4 - HKLM\..\RunOnce: [apinm.exe] C:\WINDOWS\apinm.exe
O4 - HKLM\..\RunOnce: [sysgf.exe] C:\WINDOWS\system32\sysgf.exe
O4 - HKLM\..\RunOnce: [sdkzg.exe] C:\WINDOWS\system32\sdkzg.exe
O4 - HKLM\..\RunOnce: [crhf32.exe] C:\WINDOWS\crhf32.exe
O4 - HKLM\..\RunOnce: [atlxf.exe] C:\WINDOWS\atlxf.exe
O4 - HKLM\..\RunOnce: [ieka.exe] C:\WINDOWS\ieka.exe
O4 - HKLM\..\RunOnce: [sdkuv.exe] C:\WINDOWS\system32\sdkuv.exe
O4 - HKLM\..\RunOnce: [atlzx32.exe] C:\WINDOWS\system32\atlzx32.exe
O4 - HKLM\..\RunOnce: [mfcfl.exe] C:\WINDOWS\mfcfl.exe
O4 - HKLM\..\RunOnce: [syskn32.exe] C:\WINDOWS\syskn32.exe
O4 - HKLM\..\RunOnce: [ntyk.exe] C:\WINDOWS\system32\ntyk.exe
O4 - HKLM\..\RunOnce: [appdm32.exe] C:\WINDOWS\appdm32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addvj.exe" /s (file missing)


Close ALL open windows except for HiJackThis and hit FIX CHECKED.

Double-click KillBox.exe to launch the program:

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\system32\msed.dll
C:\WINDOWS\system32\ipfr.dll
C:\WINDOWS\system32\appyb32.dll
C:\WINDOWS\atlpf.dll
C:\WINDOWS\system32\appuy32.exe
C:\WINDOWS\iemm32.exe
C:\WINDOWS\ieuz32.exe
C:\WINDOWS\addvj.exe
C:\WINDOWS\appjt.exe
C:\WINDOWS\msrg.exe
C:\WINDOWS\system32\addkl.exe
C:\WINDOWS\system32\atlgl.exe
C:\WINDOWS\addmw.exe
C:\WINDOWS\addxc.exe
C:\WINDOWS\ntzo32.exe
C:\WINDOWS\msib32.exe
C:\WINDOWS\javavh32.exe
C:\WINDOWS\mfcmg32.exe
C:\WINDOWS\atlzc32.exe
C:\WINDOWS\mssv32.exe
C:\WINDOWS\apinm.exe
C:\WINDOWS\system32\sysgf.exe
C:\WINDOWS\system32\sdkzg.exe
C:\WINDOWS\crhf32.exe
C:\WINDOWS\atlxf.exe
C:\WINDOWS\ieka.exe
C:\WINDOWS\system32\sdkuv.exe
C:\WINDOWS\system32\atlzx32.exe
C:\WINDOWS\mfcfl.exe
C:\WINDOWS\syskn32.exe
C:\WINDOWS\system32\ntyk.exe
C:\WINDOWS\appdm32.exe
C:\WINDOWS\addvj.exe


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Post a fresh HiJackThis log..

- Rawe :tazz:
  • 0

#21
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
still got a about:blank homepage and pop ups. I will be glad when this thing is gone. again, thanks for all of your time and help!
:tazz:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:11 AM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ntxd32.exe
C:\WINDOWS\system32\ienv32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nsmck.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsmck.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nsmck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsmck.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nsmck.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {04E07DB4-970C-B6FD-F75A-B78964E091EE} - C:\WINDOWS\d3lj.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {09419588-4A35-B532-FA96-5DD0086ED758} - C:\WINDOWS\addiq32.dll
O2 - BHO: Class - {0FA5CD9C-AEC3-F607-492D-C465589A5E8E} - C:\WINDOWS\d3rd32.dll
O2 - BHO: Class - {19619DBD-B4B4-FDF7-102F-F84B25374D57} - C:\WINDOWS\appmb.dll
O2 - BHO: Class - {26F6F77F-BB62-AC45-2249-A1698510CF0B} - C:\WINDOWS\system32\d3nk32.dll
O2 - BHO: Class - {30CDBE2B-6101-6199-7F1D-A22AADFABD18} - C:\WINDOWS\system32\ipex.dll
O2 - BHO: Class - {37E0589F-FCBA-2846-8D7A-5BCF4B64B27D} - C:\WINDOWS\system32\ntks32.dll
O2 - BHO: Class - {5883D979-5C1C-5AE9-C370-C39713BB8756} - C:\WINDOWS\addfg32.dll
O2 - BHO: Class - {6AB07E42-F1C5-F8BA-44B0-6F818F3C7711} - C:\WINDOWS\appym.dll
O2 - BHO: Class - {7336446D-6302-31A5-850C-92DCAEABD49C} - C:\WINDOWS\msdo32.dll
O2 - BHO: Class - {8569B350-A235-C3D0-C976-91F197E58D58} - C:\WINDOWS\ntii32.dll
O2 - BHO: Class - {8C704BD7-5630-E51A-E619-A741A169CF3E} - C:\WINDOWS\system32\netsm.dll
O2 - BHO: Class - {AF78CC8D-6C38-4877-8A5D-18C72E19E404} - C:\WINDOWS\system32\atlcf32.dll
O2 - BHO: Class - {BEF00B51-738C-4232-D4D5-D51207153ADE} - C:\WINDOWS\system32\appok.dll
O2 - BHO: Class - {CD101537-32F8-4AA3-3402-3E75C232A431} - C:\WINDOWS\ipgh32.dll
O2 - BHO: Class - {D262910D-9F97-CA3A-15AA-9A5DEF559433} - C:\WINDOWS\d3pu32.dll
O2 - BHO: Class - {DA50B851-33CA-06EB-529C-7E0AD96F9CAC} - C:\WINDOWS\atlav.dll
O2 - BHO: Class - {E205E8BE-1426-8D62-5E34-05957690AEAA} - C:\WINDOWS\system32\msfq.dll
O2 - BHO: Class - {E9342878-FCEA-230B-E4D2-5712935070EA} - C:\WINDOWS\system32\msbf32.dll
O2 - BHO: Class - {EC085D8D-3FEA-2572-6960-792ABB62ABE6} - C:\WINDOWS\ipco.dll
O2 - BHO: Class - {EEAFF53B-A766-3A0B-3D24-F62B60E391B8} - C:\WINDOWS\system32\appkr.dll
O2 - BHO: Class - {F00DEE37-8509-AE59-6FB2-C712632ECE8B} - C:\WINDOWS\system32\mfcuk.dll
O2 - BHO: Class - {F3DD5740-8C65-5FF3-1225-F170898543B8} - C:\WINDOWS\ntvb32.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ntxd32.exe] C:\WINDOWS\system32\ntxd32.exe
O4 - HKLM\..\RunOnce: [ipnf32.exe] C:\WINDOWS\ipnf32.exe
O4 - HKLM\..\RunOnce: [appgo32.exe] C:\WINDOWS\appgo32.exe
O4 - HKLM\..\RunOnce: [apppc32.exe] C:\WINDOWS\apppc32.exe
O4 - HKLM\..\RunOnce: [netil.exe] C:\WINDOWS\netil.exe
O4 - HKLM\..\RunOnce: [d3fi32.exe] C:\WINDOWS\system32\d3fi32.exe
O4 - HKLM\..\RunOnce: [appdo.exe] C:\WINDOWS\appdo.exe
O4 - HKLM\..\RunOnce: [mfchs32.exe] C:\WINDOWS\mfchs32.exe
O4 - HKLM\..\RunOnce: [applm32.exe] C:\WINDOWS\system32\applm32.exe
O4 - HKLM\..\RunOnce: [atllu32.exe] C:\WINDOWS\system32\atllu32.exe
O4 - HKLM\..\RunOnce: [mfczz32.exe] C:\WINDOWS\system32\mfczz32.exe
O4 - HKLM\..\RunOnce: [iesa32.exe] C:\WINDOWS\iesa32.exe
O4 - HKLM\..\RunOnce: [netaq32.exe] C:\WINDOWS\netaq32.exe
O4 - HKLM\..\RunOnce: [mfckz.exe] C:\WINDOWS\system32\mfckz.exe
O4 - HKLM\..\RunOnce: [mssh32.exe] C:\WINDOWS\mssh32.exe
O4 - HKLM\..\RunOnce: [apphw.exe] C:\WINDOWS\system32\apphw.exe
O4 - HKLM\..\RunOnce: [iemi32.exe] C:\WINDOWS\system32\iemi32.exe
O4 - HKLM\..\RunOnce: [d3bf32.exe] C:\WINDOWS\system32\d3bf32.exe
O4 - HKLM\..\RunOnce: [netuy32.exe] C:\WINDOWS\system32\netuy32.exe
O4 - HKLM\..\RunOnce: [sysco.exe] C:\WINDOWS\system32\sysco.exe
O4 - HKLM\..\RunOnce: [iprr32.exe] C:\WINDOWS\iprr32.exe
O4 - HKLM\..\RunOnce: [apigo32.exe] C:\WINDOWS\apigo32.exe
O4 - HKLM\..\RunOnce: [apidt32.exe] C:\WINDOWS\apidt32.exe
O4 - HKLM\..\RunOnce: [ipiy32.exe] C:\WINDOWS\system32\ipiy32.exe
O4 - HKLM\..\RunOnce: [ipcr.exe] C:\WINDOWS\ipcr.exe
O4 - HKLM\..\RunOnce: [ntkz.exe] C:\WINDOWS\ntkz.exe
O4 - HKLM\..\RunOnce: [winkh32.exe] C:\WINDOWS\system32\winkh32.exe
O4 - HKLM\..\RunOnce: [netzw.exe] C:\WINDOWS\netzw.exe
O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\msif.exe
O4 - HKLM\..\RunOnce: [sysbg32.exe] C:\WINDOWS\sysbg32.exe
O4 - HKLM\..\RunOnce: [sdkvz32.exe] C:\WINDOWS\system32\sdkvz32.exe
O4 - HKLM\..\RunOnce: [appup.exe] C:\WINDOWS\appup.exe
O4 - HKLM\..\RunOnce: [winkm32.exe] C:\WINDOWS\winkm32.exe
O4 - HKLM\..\RunOnce: [addru32.exe] C:\WINDOWS\addru32.exe
O4 - HKLM\..\RunOnce: [msfc.exe] C:\WINDOWS\msfc.exe
O4 - HKLM\..\RunOnce: [nettf.exe] C:\WINDOWS\system32\nettf.exe
O4 - HKLM\..\RunOnce: [d3qa.exe] C:\WINDOWS\d3qa.exe
O4 - HKLM\..\RunOnce: [sysjt32.exe] C:\WINDOWS\sysjt32.exe
O4 - HKLM\..\RunOnce: [windm.exe] C:\WINDOWS\system32\windm.exe
O4 - HKLM\..\RunOnce: [crcc32.exe] C:\WINDOWS\crcc32.exe
O4 - HKLM\..\RunOnce: [javali32.exe] C:\WINDOWS\system32\javali32.exe
O4 - HKLM\..\RunOnce: [mskg32.exe] C:\WINDOWS\mskg32.exe
O4 - HKLM\..\RunOnce: [mfchl32.exe] C:\WINDOWS\system32\mfchl32.exe
O4 - HKLM\..\RunOnce: [addfi.exe] C:\WINDOWS\addfi.exe
O4 - HKLM\..\RunOnce: [apivy32.exe] C:\WINDOWS\system32\apivy32.exe
O4 - HKLM\..\RunOnce: [addoh32.exe] C:\WINDOWS\addoh32.exe
O4 - HKLM\..\RunOnce: [ieme.exe] C:\WINDOWS\system32\ieme.exe
O4 - HKLM\..\RunOnce: [iegq32.exe] C:\WINDOWS\iegq32.exe
O4 - HKLM\..\RunOnce: [appkk.exe] C:\WINDOWS\system32\appkk.exe
O4 - HKLM\..\RunOnce: [winih32.exe] C:\WINDOWS\system32\winih32.exe
O4 - HKLM\..\RunOnce: [winhp32.exe] C:\WINDOWS\system32\winhp32.exe
O4 - HKLM\..\RunOnce: [appvu32.exe] C:\WINDOWS\system32\appvu32.exe
O4 - HKLM\..\RunOnce: [d3on.exe] C:\WINDOWS\system32\d3on.exe
O4 - HKLM\..\RunOnce: [ieho32.exe] C:\WINDOWS\system32\ieho32.exe
O4 - HKLM\..\RunOnce: [winth.exe] C:\WINDOWS\winth.exe
O4 - HKLM\..\RunOnce: [netqe32.exe] C:\WINDOWS\system32\netqe32.exe
O4 - HKLM\..\RunOnce: [ntsu32.exe] C:\WINDOWS\ntsu32.exe
O4 - HKLM\..\RunOnce: [apiqr32.exe] C:\WINDOWS\system32\apiqr32.exe
O4 - HKLM\..\RunOnce: [appas.exe] C:\WINDOWS\appas.exe
O4 - HKLM\..\RunOnce: [ntja32.exe] C:\WINDOWS\system32\ntja32.exe
O4 - HKLM\..\RunOnce: [wineu32.exe] C:\WINDOWS\system32\wineu32.exe
O4 - HKLM\..\RunOnce: [d3kz.exe] C:\WINDOWS\system32\d3kz.exe
O4 - HKLM\..\RunOnce: [syspe32.exe] C:\WINDOWS\syspe32.exe
O4 - HKLM\..\RunOnce: [mfcet32.exe] C:\WINDOWS\system32\mfcet32.exe
O4 - HKLM\..\RunOnce: [appuq32.exe] C:\WINDOWS\system32\appuq32.exe
O4 - HKLM\..\RunOnce: [d3nj32.exe] C:\WINDOWS\system32\d3nj32.exe
O4 - HKLM\..\RunOnce: [netvz.exe] C:\WINDOWS\netvz.exe
O4 - HKLM\..\RunOnce: [mfckw32.exe] C:\WINDOWS\system32\mfckw32.exe
O4 - HKLM\..\RunOnce: [mfcke32.exe] C:\WINDOWS\system32\mfcke32.exe
O4 - HKLM\..\RunOnce: [apimg.exe] C:\WINDOWS\apimg.exe
O4 - HKLM\..\RunOnce: [sysfz.exe] C:\WINDOWS\sysfz.exe
O4 - HKLM\..\RunOnce: [mfcpz.exe] C:\WINDOWS\system32\mfcpz.exe
O4 - HKLM\..\RunOnce: [apiph.exe] C:\WINDOWS\apiph.exe
O4 - HKLM\..\RunOnce: [d3xq.exe] C:\WINDOWS\d3xq.exe
O4 - HKLM\..\RunOnce: [ierr32.exe] C:\WINDOWS\system32\ierr32.exe
O4 - HKLM\..\RunOnce: [ntck32.exe] C:\WINDOWS\ntck32.exe
O4 - HKLM\..\RunOnce: [ipfc.exe] C:\WINDOWS\ipfc.exe
O4 - HKLM\..\RunOnce: [appso.exe] C:\WINDOWS\system32\appso.exe
O4 - HKLM\..\RunOnce: [mfcyt.exe] C:\WINDOWS\system32\mfcyt.exe
O4 - HKLM\..\RunOnce: [mfcse32.exe] C:\WINDOWS\mfcse32.exe
O4 - HKLM\..\RunOnce: [apiau32.exe] C:\WINDOWS\apiau32.exe
O4 - HKLM\..\RunOnce: [ipfz32.exe] C:\WINDOWS\ipfz32.exe
O4 - HKLM\..\RunOnce: [iphs.exe] C:\WINDOWS\iphs.exe
O4 - HKLM\..\RunOnce: [ipha.exe] C:\WINDOWS\system32\ipha.exe
O4 - HKLM\..\RunOnce: [winhi32.exe] C:\WINDOWS\winhi32.exe
O4 - HKLM\..\RunOnce: [sdkpy32.exe] C:\WINDOWS\system32\sdkpy32.exe
O4 - HKLM\..\RunOnce: [ietk.exe] C:\WINDOWS\system32\ietk.exe
O4 - HKLM\..\RunOnce: [ienv32.exe] C:\WINDOWS\system32\ienv32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c282.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...5e012/enter.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addvj.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#22
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Arr. They are still there :tazz:

Let's try something different..


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#23
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
it's not dead yet! Hopefully soon! here is my spy sweeper log.


********
5:29 PM: | Start of Session, Thursday, September 01, 2005 |
5:29 PM: Spy Sweeper started
5:29 PM: Sweep initiated using definitions version 526
5:29 PM: Starting Memory Sweep
5:30 PM: Found Adware: cws_tiny0
5:30 PM: Detected running threat: C:\WINDOWS\system32\ntxd32.exe (ID = 135984)
5:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || ntxd32.exe (ID = 0)
5:31 PM: Found Adware: cws_ns3
5:31 PM: Detected running threat: C:\WINDOWS\d3lj.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\addiq32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\d3rd32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\appmb.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\d3nk32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\ipex.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\ntks32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\addfg32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\appym.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\msdo32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\ntii32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\netsm.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\atlcf32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\appok.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\ipgh32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\d3pu32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\atlav.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\msfq.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\msbf32.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\ipco.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\appkr.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\system32\mfcuk.dll (ID = 8)
5:31 PM: Detected running threat: C:\WINDOWS\ntvb32.dll (ID = 8)
5:31 PM: Memory Sweep Complete, Elapsed Time: 00:01:42
5:31 PM: Starting Registry Sweep
5:31 PM: Found Trojan Horse: agent.ay downloader
5:31 PM: HKCR\clsid\{088bb196-6676-cb49-248d-e08b115e7e10}\ (6 subtraces) (ID = 103335)
5:31 PM: HKLM\software\classes\clsid\{088bb196-6676-cb49-248d-e08b115e7e10}\ (6 subtraces) (ID = 103344)
5:31 PM: Found Adware: coolwebsearch (cws)
5:31 PM: HKCR\clsid\{0f9a97e5-963e-75db-23f4-3897cec6b584}\ (2 subtraces) (ID = 107063)
5:31 PM: HKCR\clsid\{6a5229c9-2f01-6a52-521f-8f546ded11c7}\ (2 subtraces) (ID = 107280)
5:31 PM: HKCR\clsid\{43f226f3-3edd-1f6e-b1f9-426f80dab07e}\ (6 subtraces) (ID = 107460)
5:31 PM: HKCR\clsid\{44ce9131-e13c-d36a-083a-faff61e866ca}\ (6 subtraces) (ID = 107461)
5:31 PM: HKCR\clsid\{65d75d06-7395-6352-09cd-e13b9059efe9}\ (6 subtraces) (ID = 107500)
5:31 PM: HKCR\clsid\{66deb589-b6d4-e95e-2e36-26287464cd11}\ (6 subtraces) (ID = 107502)
5:31 PM: HKCR\clsid\{77e35b59-5dbf-ca0f-2037-00b52e21e874}\ (2 subtraces) (ID = 107523)
5:31 PM: HKCR\clsid\{211d33be-b506-603a-e0c1-e50e4d62779f}\ (6 subtraces) (ID = 107595)
5:31 PM: HKCR\clsid\{c5f30c3e-df43-3900-ba95-c664d49efbb2}\ (2 subtraces) (ID = 108051)
5:31 PM: HKCR\clsid\{d02510a9-69a7-24d5-85da-d3ec8e911c73}\ (6 subtraces) (ID = 108130)
5:31 PM: HKCR\clsid\{d75b9d6b-fb2a-ee40-24da-791d27c77147}\ (2 subtraces) (ID = 108151)
5:31 PM: HKLM\software\classes\clsid\{0f9a97e5-963e-75db-23f4-3897cec6b584}\ (2 subtraces) (ID = 108453)
5:31 PM: HKLM\software\classes\clsid\{6a5229c9-2f01-6a52-521f-8f546ded11c7}\ (2 subtraces) (ID = 108668)
5:31 PM: HKLM\software\classes\clsid\{43f226f3-3edd-1f6e-b1f9-426f80dab07e}\ (6 subtraces) (ID = 108847)
5:31 PM: HKLM\software\classes\clsid\{44ce9131-e13c-d36a-083a-faff61e866ca}\ (6 subtraces) (ID = 108848)
5:31 PM: HKLM\software\classes\clsid\{65d75d06-7395-6352-09cd-e13b9059efe9}\ (6 subtraces) (ID = 108887)
5:31 PM: HKLM\software\classes\clsid\{66deb589-b6d4-e95e-2e36-26287464cd11}\ (6 subtraces) (ID = 108889)
5:31 PM: HKLM\software\classes\clsid\{77e35b59-5dbf-ca0f-2037-00b52e21e874}\ (2 subtraces) (ID = 108910)
5:31 PM: HKLM\software\classes\clsid\{211d33be-b506-603a-e0c1-e50e4d62779f}\ (6 subtraces) (ID = 108981)
5:31 PM: HKLM\software\classes\clsid\{c5f30c3e-df43-3900-ba95-c664d49efbb2}\ (2 subtraces) (ID = 109434)
5:31 PM: HKLM\software\classes\clsid\{d02510a9-69a7-24d5-85da-d3ec8e911c73}\ (6 subtraces) (ID = 109513)
5:31 PM: HKLM\software\classes\clsid\{d75b9d6b-fb2a-ee40-24da-791d27c77147}\ (2 subtraces) (ID = 109534)
5:31 PM: Found Adware: cws-aboutblank
5:31 PM: HKCR\clsid\{53b83eba-809f-c983-5c07-4cb6e85d8f3a}\ (2 subtraces) (ID = 113323)
5:31 PM: HKLM\software\classes\clsid\{53b83eba-809f-c983-5c07-4cb6e85d8f3a}\ (2 subtraces) (ID = 114900)
5:31 PM: HKCR\clsid\{0add4d53-b7dd-20f8-2ac9-ab9cb538a46f}\ (6 subtraces) (ID = 117597)
5:31 PM: HKCR\clsid\{0b6be68e-b55a-5883-3dbc-30d73208d3e7}\ (6 subtraces) (ID = 117604)
5:31 PM: HKCR\clsid\{0b538ae6-8676-e13b-4cec-e6a75f19f1ef}\ (6 subtraces) (ID = 117607)
5:31 PM: HKCR\clsid\{011710e1-b483-710e-97e0-2570cf3083b8}\ (2 subtraces) (ID = 117636)
5:31 PM: HKCR\clsid\{04d2569c-ed83-79fb-0e43-f43dfa258774}\ (6 subtraces) (ID = 117663)
5:31 PM: HKCR\clsid\{07f0caa0-8206-9dcc-5402-d4cc24ec1764}\ (6 subtraces) (ID = 117686)
5:31 PM: HKCR\clsid\{09098a2e-29b4-d7ac-c8ec-1c448eba69e3}\ (4 subtraces) (ID = 117698)
5:31 PM: HKCR\clsid\{09248dc7-285d-a208-7675-8d1bac7208c9}\ (6 subtraces) (ID = 117699)
5:31 PM: HKCR\clsid\{1b9cee94-e0d7-13cf-2da8-ca3c766eaad0}\ (6 subtraces) (ID = 117706)
5:31 PM: HKCR\clsid\{1d232f9d-941d-5cd9-732f-8f6ec1977cf2}\ (6 subtraces) (ID = 117720)
5:31 PM: HKCR\clsid\{1de20533-9118-bf9a-a6c6-f8e881a5fd4b}\ (6 subtraces) (ID = 117724)
5:31 PM: HKCR\clsid\{1e920882-80ef-bd61-dbbd-0847c13d1197}\ (2 subtraces) (ID = 117728)
5:31 PM: HKCR\clsid\{1f846f72-8833-7b85-fbf7-b2d81d30ab82}\ (4 subtraces) (ID = 117736)
5:31 PM: HKCR\clsid\{2a97db56-e2b4-967c-af9f-07fdf74289c2}\ (6 subtraces) (ID = 117739)
5:31 PM: HKCR\clsid\{2cb60d9d-ba37-058c-7ea3-a52155f01235}\ (6 subtraces) (ID = 117754)
5:31 PM: HKCR\clsid\{2d99fd34-f395-dfb0-0852-36d4976f6e3d}\ (6 subtraces) (ID = 117765)
5:31 PM: HKCR\clsid\{2fb10b1f-e342-08a1-cbaa-d4a2cd2abac6}\ (2 subtraces) (ID = 117777)
5:31 PM: HKCR\clsid\{3e429b2a-880e-f81f-ccf2-035c43170ae9}\localserver32\ (1 subtraces) (ID = 117808)
5:31 PM: HKCR\clsid\{4e11a0fd-72a3-aef3-d4e4-e168f75a238e}\ (6 subtraces) (ID = 117854)
5:31 PM: HKCR\clsid\{4fbb115d-894b-592c-e7c1-41e7c088266f}\localserver32\ (1 subtraces) (ID = 117863)
5:31 PM: HKCR\clsid\{5da6ca48-7d98-bc0b-40ef-22ac6558668a}\ (6 subtraces) (ID = 117892)
5:31 PM: HKCR\clsid\{5f0db282-2c0a-ae7b-a81a-1451175e7cc1}\ (2 subtraces) (ID = 117907)
5:31 PM: HKCR\clsid\{5f32646e-6d3e-257c-2369-efd1a3a012f8}\ (6 subtraces) (ID = 117911)
5:31 PM: HKCR\clsid\{5fa0cf1e-5ff7-5212-6d7d-5710e683babb}\ (6 subtraces) (ID = 117913)
5:31 PM: HKCR\clsid\{6a493714-8012-621e-a09e-cd80ff52fb1f}\ (2 subtraces) (ID = 117921)
5:31 PM: HKCR\clsid\{6d012127-abb2-bf82-d02a-24cbbd599720}\ (6 subtraces) (ID = 117944)
5:31 PM: HKCR\clsid\{6ddf3af2-cb9d-199d-044c-9941e91e7cff}\ (2 subtraces) (ID = 117950)
5:31 PM: HKCR\clsid\{8bb0647d-d9c2-cb7b-7651-2618bd82261b}\ (6 subtraces) (ID = 118008)
5:31 PM: HKCR\clsid\{8c5ccfeb-d80b-9087-ae97-c7343da6efdd}\ (2 subtraces) (ID = 118016)
5:31 PM: HKCR\clsid\{8f60435f-df74-6308-e8cb-509d69906821}\ (6 subtraces) (ID = 118033)
5:31 PM: HKCR\clsid\{9d7705a4-9543-9869-8249-f62ac961bda5}\ (6 subtraces) (ID = 118057)
5:31 PM: HKCR\clsid\{9e0852d7-12f7-9aeb-b1f6-766a430f01c0}\ (2 subtraces) (ID = 118059)
5:31 PM: HKCR\clsid\{10d837d7-d6ea-8bce-37fb-e58a2e09397b}\ (6 subtraces) (ID = 118080)
5:31 PM: HKCR\clsid\{16c710fd-4c93-9c02-15fc-681df7937350}\ (6 subtraces) (ID = 118087)
5:31 PM: HKCR\clsid\{22e7067a-283f-cf1c-4373-210a97c38bdb}\ (6 subtraces) (ID = 118105)
5:31 PM: HKCR\clsid\{35cdce87-6bd6-878a-d4c9-24118a153d34}\ (6 subtraces) (ID = 118140)
5:31 PM: HKCR\clsid\{38ea95b6-06df-844e-6763-813a152d6f74}\ (2 subtraces) (ID = 118160)
5:31 PM: HKCR\clsid\{47b70b6f-a6b0-230a-43c3-9f9b5c710209}\ (6 subtraces) (ID = 118181)
5:31 PM: HKCR\clsid\{47da2122-90a1-597c-94d7-20963f392761}\ (6 subtraces) (ID = 118182)
5:31 PM: HKCR\clsid\{62b52b4d-547b-bfc7-9850-79709fdecf27}\ (6 subtraces) (ID = 118222)
5:31 PM: HKCR\clsid\{66f81d4b-90ba-d6b9-a3dd-81424b154345}\localserver32\ (1 subtraces) (ID = 118237)
5:31 PM: HKCR\clsid\{67d02480-710b-80d7-0624-27bb57b32cde}\ (6 subtraces) (ID = 118239)
5:31 PM: HKCR\clsid\{86b29a5f-cb91-3c3d-28a2-eda38c1f28a8}\ (6 subtraces) (ID = 118288)
5:31 PM: HKCR\clsid\{97e37285-b9d3-035e-821f-3ebe4f849c3d}\ (6 subtraces) (ID = 118314)
5:31 PM: HKCR\clsid\{735ddac7-f8f1-47dd-d87a-6af0100b6a48}\ (6 subtraces) (ID = 118420)
5:31 PM: HKCR\clsid\{786a41bb-009d-dd27-ea3e-15dcd01ec75c}\ (6 subtraces) (ID = 118428)
5:31 PM: HKCR\clsid\{792a038a-9c16-9885-5b25-ce939788172a}\ (5 subtraces) (ID = 118430)
5:31 PM: HKCR\clsid\{798a3875-f0cf-e2b2-3196-d55e89cdef04}\ (2 subtraces) (ID = 118434)
5:31 PM: HKCR\clsid\{841cb982-c366-4290-3f00-95a1a5f3c340}\ (6 subtraces) (ID = 118440)
5:31 PM: HKCR\clsid\{865e2cec-dcdc-cf30-c932-8a491f233655}\ (2 subtraces) (ID = 118444)
5:31 PM: HKCR\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\ (6 subtraces) (ID = 118454)
5:31 PM: HKCR\clsid\{966fa744-197f-e95e-eb31-73be39619de2}\ (6 subtraces) (ID = 118464)
5:31 PM: HKCR\clsid\{3757d8ec-fd1d-a2f5-366b-c8c2fee89b04}\ (6 subtraces) (ID = 118491)
5:31 PM: HKCR\clsid\{5932f9cb-e60e-11c7-5ba5-2cd8198cbdb4}\ (6 subtraces) (ID = 118512)
5:31 PM: HKCR\clsid\{7868ec16-8c67-1dbd-6d5a-ebb325881bd9}\ (6 subtraces) (ID = 118532)
5:31 PM: HKCR\clsid\{8169e4d3-2914-c956-aafe-f49d78c929a8}\ (6 subtraces) (ID = 118538)
5:31 PM: HKCR\clsid\{8669abb2-7410-3460-f449-e119dca24cc4}\ (6 subtraces) (ID = 118546)
5:31 PM: HKCR\clsid\{12130dcb-3df4-96ec-27b9-61e0d766f680}\ (6 subtraces) (ID = 118563)
5:31 PM: HKCR\clsid\{43372d0d-6ead-977a-99ee-8dfb043153ed}\ (2 subtraces) (ID = 118580)
5:31 PM: HKCR\clsid\{88289cad-8761-b286-1697-48c2e3a53747}\ (6 subtraces) (ID = 118617)
5:31 PM: HKCR\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 118649)
5:31 PM: HKCR\clsid\{765369c1-d4e0-d6a4-69b4-6261d4e1319a}\ (5 subtraces) (ID = 118652)
5:31 PM: HKCR\clsid\{795714a8-c9c0-e8bd-30db-a0da3b603993}\ (6 subtraces) (ID = 118654)
5:31 PM: HKCR\clsid\{1082088a-e784-5093-f9a0-07e5588fa67c}\ (6 subtraces) (ID = 118664)
5:31 PM: HKCR\clsid\{1323178d-09e3-b628-cc3a-95630b64b7da}\ (6 subtraces) (ID = 118666)
5:31 PM: HKCR\clsid\{3508830d-8a20-1c38-52a8-8dc8b11ee6f4}\ (6 subtraces) (ID = 118672)
5:31 PM: HKCR\clsid\{9320654e-9dd7-7b4e-fd11-be169ac706f5}\ (6 subtraces) (ID = 118683)
5:31 PM: HKCR\clsid\{61682029-a490-5c49-d9fd-682fb2da97af}\ (6 subtraces) (ID = 118711)
5:31 PM: HKCR\clsid\{a9629e20-9b59-1f5f-58ae-e699d9122e1f}\ (6 subtraces) (ID = 118788)
5:31 PM: HKCR\clsid\{a167704a-0f01-8543-16a8-ecf3eba5dc01}\ (6 subtraces) (ID = 118792)
5:31 PM: HKCR\clsid\{a8703447-9782-72d3-aa41-606a7e155ce5}\ (6 subtraces) (ID = 118799)
5:31 PM: HKCR\clsid\{ab8789ce-01b6-4b58-c2c0-77d8144d5741}\ (6 subtraces) (ID = 118810)
5:31 PM: HKCR\clsid\{af197e67-53b8-6c01-4733-3e7c25ba3a3b}\ (6 subtraces) (ID = 118833)
5:31 PM: HKCR\clsid\{b9e19da8-10a7-4e21-2fbb-fdc66e0cc0b9}\ (2 subtraces) (ID = 118857)
5:31 PM: HKCR\clsid\{b36d5282-d413-f545-cf79-a6ce970cfebb}\ (6 subtraces) (ID = 118861)
5:31 PM: HKCR\clsid\{b78461f4-0e43-85fe-00b7-c15b18b07b4e}\ (2 subtraces) (ID = 118888)
5:31 PM: HKCR\clsid\{bc0fe7f5-ad1d-a795-c683-f3eb54072efe}\ (6 subtraces) (ID = 118910)
5:31 PM: HKCR\clsid\{c092cea0-fb34-5e12-83ed-47942941decc}\ (6 subtraces) (ID = 118940)
5:31 PM: HKCR\clsid\{c42cf26e-2b02-05de-7d7b-a16c5c2095bb}\ (11 subtraces) (ID = 118987)
5:31 PM: HKCR\clsid\{c53d27e6-2a68-7cd9-a09f-541ef27b2319}\ (6 subtraces) (ID = 118990)
5:31 PM: HKCR\clsid\{c74df792-dd4b-4b33-4d25-bb3e8a211bb3}\ (6 subtraces) (ID = 118996)
5:31 PM: HKCR\clsid\{c81edefc-5ab9-55d2-cded-3c677e07b4e6}\ (6 subtraces) (ID = 118998)
5:31 PM: HKCR\clsid\{c6984483-d454-b316-4040-575b9fb13d11}\ (6 subtraces) (ID = 119029)
5:31 PM: HKCR\clsid\{c9368290-de0b-80ff-0e2d-8933f6ca1a46}\ (6 subtraces) (ID = 119032)
5:31 PM: HKCR\clsid\{d0efc5ad-b041-13c1-482f-cf46efeff6c3}\ (6 subtraces) (ID = 119081)
5:31 PM: HKCR\clsid\{d7b5394e-d013-3545-35d0-45376236a8dc}\ (4 subtraces) (ID = 119095)
5:31 PM: HKCR\clsid\{d27dd7b4-a72b-4b66-2bd3-262b793a3c2c}\ (6 subtraces) (ID = 119105)
5:31 PM: HKCR\clsid\{d85fbaa5-5f33-6173-d800-efd4e38ae63e}\ (6 subtraces) (ID = 119113)
5:31 PM: HKCR\clsid\{d223f02d-058e-2cfe-d02d-81826009252b}\ (6 subtraces) (ID = 119115)
5:31 PM: HKCR\clsid\{d605eaff-2c3a-4619-43c1-4ffb062f68de}\ (6 subtraces) (ID = 119121)
5:31 PM: HKCR\clsid\{d4451521-f203-568e-2657-c5ad1f0b1f77}\ (2 subtraces) (ID = 119139)
5:31 PM: HKCR\clsid\{db3ff0a6-7ad3-085e-3e59-a4318e82d4a8}\ (6 subtraces) (ID = 119157)
5:31 PM: HKCR\clsid\{de064cf5-809e-a243-cc14-f5427e5967a1}\ (6 subtraces) (ID = 119183)
5:31 PM: HKCR\clsid\{df74f87a-b7c0-f480-1d25-d81a257b3152}\ (6 subtraces) (ID = 119193)
5:31 PM: HKCR\clsid\{df7066e9-8ee8-8682-f43e-2bf8e7e7d760}\ (2 subtraces) (ID = 119195)
5:31 PM: HKCR\clsid\{dfc94122-75a0-85e3-3738-430a8b983c39}\ (6 subtraces) (ID = 119197)
5:31 PM: HKCR\clsid\{e36a99d7-088f-a5e8-1ba4-87116d938d49}\ (2 subtraces) (ID = 119237)
5:31 PM: HKCR\clsid\{e404f826-abe4-d856-61ba-bcbd539933f8}\ (2 subtraces) (ID = 119254)
5:31 PM: HKCR\clsid\{e24280f1-5872-dd80-6349-14510dfcb851}\ (6 subtraces) (ID = 119267)
5:31 PM: HKCR\clsid\{e365460d-7563-2763-5e38-85f172854eac}\ (6 subtraces) (ID = 119270)
5:31 PM: HKCR\clsid\{e647591b-d33e-72b8-a7f0-9d55c2a7369d}\ (6 subtraces) (ID = 119273)
5:31 PM: HKCR\clsid\{e9342878-fcea-230b-e4d2-5712935070ea}\ (25 subtraces) (ID = 119278)
5:31 PM: HKCR\clsid\{eceaf197-b6ef-9e38-0846-ff3bb03983ad}\ (6 subtraces) (ID = 119305)
5:31 PM: HKCR\clsid\{edb7ff48-2cc7-7131-a993-53c8f83dd550}\ (6 subtraces) (ID = 119311)
5:31 PM: HKCR\clsid\{f0d9b410-3c4f-707c-2e2d-529e64aa2118}\ (2 subtraces) (ID = 119339)
5:31 PM: HKCR\clsid\{f065e398-2acb-9034-8b2a-28a827ff521f}\ (6 subtraces) (ID = 119343)
5:31 PM: HKCR\clsid\{f3dd5740-8c65-5ff3-1225-f170898543b8}\ (25 subtraces) (ID = 119354)
5:31 PM: HKCR\clsid\{f6eb941e-9dcd-6e07-e139-d2ab90baae62}\ (6 subtraces) (ID = 119366)
5:31 PM: HKCR\clsid\{f7dfcd4f-46cd-bda8-264c-0a68205f4979}\ (6 subtraces) (ID = 119370)
5:31 PM: HKCR\clsid\{f704a16d-ba8a-0dd4-cb9e-f0fa4a957d8d}\ (6 subtraces) (ID = 119390)
5:31 PM: HKCR\clsid\{f2352fd0-b78a-fc66-ee98-5dfbf99e1f48}\ (5 subtraces) (ID = 119400)
5:31 PM: HKCR\clsid\{f317424c-8ecc-86c7-5e5b-7aa1bd81d1c4}\ (6 subtraces) (ID = 119409)
5:31 PM: HKCR\clsid\{f6802757-10ab-dbc8-719a-c48394d31082}\ (6 subtraces) (ID = 119413)
5:31 PM: HKCR\clsid\{fa986cde-0fa2-33a9-ecfd-8291dfa81985}\ (6 subtraces) (ID = 119419)
5:31 PM: HKCR\clsid\{fb277f1b-89b6-a114-dd01-ec507a933f39}\ (2 subtraces) (ID = 119426)
5:31 PM: HKCR\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (6 subtraces) (ID = 119436)
5:31 PM: HKLM\software\classes\clsid\{0add4d53-b7dd-20f8-2ac9-ab9cb538a46f}\ (6 subtraces) (ID = 119478)
5:31 PM: HKLM\software\classes\clsid\{0b6be68e-b55a-5883-3dbc-30d73208d3e7}\ (6 subtraces) (ID = 119484)
5:31 PM: HKLM\software\classes\clsid\{0b538ae6-8676-e13b-4cec-e6a75f19f1ef}\ (6 subtraces) (ID = 119487)
5:31 PM: HKLM\software\classes\clsid\{04d2569c-ed83-79fb-0e43-f43dfa258774}\ (6 subtraces) (ID = 119541)
5:31 PM: HKLM\software\classes\clsid\{07f0caa0-8206-9dcc-5402-d4cc24ec1764}\ (6 subtraces) (ID = 119562)
5:31 PM: HKLM\software\classes\clsid\{09098a2e-29b4-d7ac-c8ec-1c448eba69e3}\ (4 subtraces) (ID = 119573)
5:31 PM: HKLM\software\classes\clsid\{09248dc7-285d-a208-7675-8d1bac7208c9}\ (6 subtraces) (ID = 119574)
5:31 PM: HKLM\software\classes\clsid\{1b9cee94-e0d7-13cf-2da8-ca3c766eaad0}\ (6 subtraces) (ID = 119581)
5:31 PM: HKLM\software\classes\clsid\{1d232f9d-941d-5cd9-732f-8f6ec1977cf2}\ (6 subtraces) (ID = 119595)
5:31 PM: HKLM\software\classes\clsid\{1de20533-9118-bf9a-a6c6-f8e881a5fd4b}\ (6 subtraces) (ID = 119599)
5:31 PM: HKLM\software\classes\clsid\{1e920882-80ef-bd61-dbbd-0847c13d1197}\ (2 subtraces) (ID = 119603)
5:31 PM: HKLM\software\classes\clsid\{1f846f72-8833-7b85-fbf7-b2d81d30ab82}\ (4 subtraces) (ID = 119611)
5:31 PM: HKLM\software\classes\clsid\{1fe935ff-db66-ac76-99d8-18ec1f0f013c}\ (6 subtraces) (ID = 119613)
5:31 PM: HKLM\software\classes\clsid\{2a97db56-e2b4-967c-af9f-07fdf74289c2}\ (6 subtraces) (ID = 119615)
5:31 PM: HKLM\software\classes\clsid\{2cb60d9d-ba37-058c-7ea3-a52155f01235}\ (6 subtraces) (ID = 119630)
5:31 PM: HKLM\software\classes\clsid\{2d99fd34-f395-dfb0-0852-36d4976f6e3d}\ (6 subtraces) (ID = 119640)
5:31 PM: HKLM\software\classes\clsid\{2fb10b1f-e342-08a1-cbaa-d4a2cd2abac6}\ (2 subtraces) (ID = 119651)
5:31 PM: HKLM\software\classes\clsid\{3e429b2a-880e-f81f-ccf2-035c43170ae9}\localserver32\ (1 subtraces) (ID = 119681)
5:31 PM: HKLM\software\classes\clsid\{4e11a0fd-72a3-aef3-d4e4-e168f75a238e}\ (6 subtraces) (ID = 119727)
5:31 PM: HKLM\software\classes\clsid\{4fbb115d-894b-592c-e7c1-41e7c088266f}\localserver32\ (1 subtraces) (ID = 119736)
5:31 PM: HKLM\software\classes\clsid\{5da6ca48-7d98-bc0b-40ef-22ac6558668a}\ (6 subtraces) (ID = 119768)
5:31 PM: HKLM\software\classes\clsid\{5f0db282-2c0a-ae7b-a81a-1451175e7cc1}\ (2 subtraces) (ID = 119782)
5:31 PM: HKLM\software\classes\clsid\{5f32646e-6d3e-257c-2369-efd1a3a012f8}\ (6 subtraces) (ID = 119786)
5:31 PM: HKLM\software\classes\clsid\{5fa0cf1e-5ff7-5212-6d7d-5710e683babb}\ (6 subtraces) (ID = 119788)
5:31 PM: HKLM\software\classes\clsid\{6a493714-8012-621e-a09e-cd80ff52fb1f}\ (2 subtraces) (ID = 119795)
5:31 PM: HKLM\software\classes\clsid\{6d012127-abb2-bf82-d02a-24cbbd599720}\ (6 subtraces) (ID = 119818)
5:31 PM: HKLM\software\classes\clsid\{6ddf3af2-cb9d-199d-044c-9941e91e7cff}\ (2 subtraces) (ID = 119824)
5:31 PM: HKLM\software\classes\clsid\{8bb0647d-d9c2-cb7b-7651-2618bd82261b}\ (6 subtraces) (ID = 119882)
5:31 PM: HKLM\software\classes\clsid\{8c5ccfeb-d80b-9087-ae97-c7343da6efdd}\ (2 subtraces) (ID = 119890)
5:31 PM: HKLM\software\classes\clsid\{8f60435f-df74-6308-e8cb-509d69906821}\ (6 subtraces) (ID = 119907)
5:31 PM: HKLM\software\classes\clsid\{9d7705a4-9543-9869-8249-f62ac961bda5}\ (6 subtraces) (ID = 119929)
5:31 PM: HKLM\software\classes\clsid\{9e0852d7-12f7-9aeb-b1f6-766a430f01c0}\ (2 subtraces) (ID = 119931)
5:31 PM: HKLM\software\classes\clsid\{10d837d7-d6ea-8bce-37fb-e58a2e09397b}\ (6 subtraces) (ID = 119952)
5:31 PM: HKLM\software\classes\clsid\{16c710fd-4c93-9c02-15fc-681df7937350}\ (6 subtraces) (ID = 119958)
5:31 PM: HKLM\software\classes\clsid\{22e7067a-283f-cf1c-4373-210a97c38bdb}\ (6 subtraces) (ID = 119975)
5:31 PM: HKLM\software\classes\clsid\{35cdce87-6bd6-878a-d4c9-24118a153d34}\ (6 subtraces) (ID = 120009)
5:31 PM: HKLM\software\classes\clsid\{47b70b6f-a6b0-230a-43c3-9f9b5c710209}\ (6 subtraces) (ID = 120039)
5:31 PM: HKLM\software\classes\clsid\{47da2122-90a1-597c-94d7-20963f392761}\ (6 subtraces) (ID = 120040)
5:31 PM: HKLM\software\classes\clsid\{62b52b4d-547b-bfc7-9850-79709fdecf27}\ (6 subtraces) (ID = 120079)
5:31 PM: HKLM\software\classes\clsid\{66f81d4b-90ba-d6b9-a3dd-81424b154345}\localserver32\ (1 subtraces) (ID = 120094)
5:31 PM: HKLM\software\classes\clsid\{67d02480-710b-80d7-0624-27bb57b32cde}\ (6 subtraces) (ID = 120096)
5:31 PM: HKLM\software\classes\clsid\{86b29a5f-cb91-3c3d-28a2-eda38c1f28a8}\ (6 subtraces) (ID = 120144)
5:31 PM: HKLM\software\classes\clsid\{97e37285-b9d3-035e-821f-3ebe4f849c3d}\ (6 subtraces) (ID = 120169)
5:31 PM: HKLM\software\classes\clsid\{735ddac7-f8f1-47dd-d87a-6af0100b6a48}\ (6 subtraces) (ID = 120268)
5:31 PM: HKLM\software\classes\clsid\{786a41bb-009d-dd27-ea3e-15dcd01ec75c}\ (6 subtraces) (ID = 120276)
5:31 PM: HKLM\software\classes\clsid\{792a038a-9c16-9885-5b25-ce939788172a}\ (5 subtraces) (ID = 120278)
5:31 PM: HKLM\software\classes\clsid\{841cb982-c366-4290-3f00-95a1a5f3c340}\ (6 subtraces) (ID = 120287)
5:31 PM: HKLM\software\classes\clsid\{865e2cec-dcdc-cf30-c932-8a491f233655}\ (2 subtraces) (ID = 120291)
5:31 PM: HKLM\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\ (6 subtraces) (ID = 120301)
5:31 PM: HKLM\software\classes\clsid\{966fa744-197f-e95e-eb31-73be39619de2}\ (6 subtraces) (ID = 120311)
5:31 PM: HKLM\software\classes\clsid\{3757d8ec-fd1d-a2f5-366b-c8c2fee89b04}\ (6 subtraces) (ID = 120338)
5:31 PM: HKLM\software\classes\clsid\{5932f9cb-e60e-11c7-5ba5-2cd8198cbdb4}\localserver32\ (1 subtraces) (ID = 120359)
5:31 PM: HKLM\software\classes\clsid\{7868ec16-8c67-1dbd-6d5a-ebb325881bd9}\ (6 subtraces) (ID = 120379)
5:31 PM: HKLM\software\classes\clsid\{8169e4d3-2914-c956-aafe-f49d78c929a8}\ (6 subtraces) (ID = 120384)
5:31 PM: HKLM\software\classes\clsid\{8669abb2-7410-3460-f449-e119dca24cc4}\ (6 subtraces) (ID = 120392)
5:31 PM: HKLM\software\classes\clsid\{12130dcb-3df4-96ec-27b9-61e0d766f680}\ (6 subtraces) (ID = 120410)
5:31 PM: HKLM\software\classes\clsid\{43372d0d-6ead-977a-99ee-8dfb043153ed}\ (2 subtraces) (ID = 120427)
5:31 PM: HKLM\software\classes\clsid\{88289cad-8761-b286-1697-48c2e3a53747}\ (6 subtraces) (ID = 120464)
5:31 PM: HKLM\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 120496)
5:31 PM: HKLM\software\classes\clsid\{765369c1-d4e0-d6a4-69b4-6261d4e1319a}\ (5 subtraces) (ID = 120499)
5:31 PM: HKLM\software\classes\clsid\{795714a8-c9c0-e8bd-30db-a0da3b603993}\ (6 subtraces) (ID = 120501)
5:31 PM: HKLM\software\classes\clsid\{1082088a-e784-5093-f9a0-07e5588fa67c}\ (6 subtraces) (ID = 120510)
5:31 PM: HKLM\software\classes\clsid\{1323178d-09e3-b628-cc3a-95630b64b7da}\ (6 subtraces) (ID = 120511)
5:31 PM: HKLM\software\classes\clsid\{3508830d-8a20-1c38-52a8-8dc8b11ee6f4}\ (6 subtraces) (ID = 120517)
5:31 PM: HKLM\software\classes\clsid\{9320654e-9dd7-7b4e-fd11-be169ac706f5}\ (6 subtraces) (ID = 120528)
5:31 PM: HKLM\software\classes\clsid\{61682029-a490-5c49-d9fd-682fb2da97af}\ (6 subtraces) (ID = 120553)
5:31 PM: HKLM\software\classes\clsid\{a9629e20-9b59-1f5f-58ae-e699d9122e1f}\ (6 subtraces) (ID = 120627)
5:31 PM: HKLM\software\classes\clsid\{a167704a-0f01-8543-16a8-ecf3eba5dc01}\ (6 subtraces) (ID = 120631)
5:31 PM: HKLM\software\classes\clsid\{a8703447-9782-72d3-aa41-606a7e155ce5}\ (6 subtraces) (ID = 120637)
5:31 PM: HKLM\software\classes\clsid\{ab8789ce-01b6-4b58-c2c0-77d8144d5741}\ (6 subtraces) (ID = 120649)
5:31 PM: HKLM\software\classes\clsid\{af197e67-53b8-6c01-4733-3e7c25ba3a3b}\ (6 subtraces) (ID = 120672)
5:31 PM: HKLM\software\classes\clsid\{b9e19da8-10a7-4e21-2fbb-fdc66e0cc0b9}\ (2 subtraces) (ID = 120696)
5:31 PM: HKLM\software\classes\clsid\{b36d5282-d413-f545-cf79-a6ce970cfebb}\ (6 subtraces) (ID = 120700)
5:31 PM: HKLM\software\classes\clsid\{b78461f4-0e43-85fe-00b7-c15b18b07b4e}\ (2 subtraces) (ID = 120726)
5:31 PM: HKLM\software\classes\clsid\{bc0fe7f5-ad1d-a795-c683-f3eb54072efe}\ (6 subtraces) (ID = 120747)
5:31 PM: HKLM\software\classes\clsid\{c092cea0-fb34-5e12-83ed-47942941decc}\ (6 subtraces) (ID = 120776)
5:31 PM: HKLM\software\classes\clsid\{c42cf26e-2b02-05de-7d7b-a16c5c2095bb}\ (11 subtraces) (ID = 120824)
5:31 PM: HKLM\software\classes\clsid\{c53d27e6-2a68-7cd9-a09f-541ef27b2319}\ (6 subtraces) (ID = 120827)
5:31 PM: HKLM\software\classes\clsid\{c74df792-dd4b-4b33-4d25-bb3e8a211bb3}\ (6 subtraces) (ID = 120833)
5:31 PM: HKLM\software\classes\clsid\{c81edefc-5ab9-55d2-cded-3c677e07b4e6}\ (6 subtraces) (ID = 120835)
5:31 PM: HKLM\software\classes\clsid\{c6984483-d454-b316-4040-575b9fb13d11}\ (6 subtraces) (ID = 120866)
5:31 PM: HKLM\software\classes\clsid\{c9368290-de0b-80ff-0e2d-8933f6ca1a46}\ (6 subtraces) (ID = 120869)
5:31 PM: HKLM\software\classes\clsid\{d0efc5ad-b041-13c1-482f-cf46efeff6c3}\ (6 subtraces) (ID = 120917)
5:31 PM: HKLM\software\classes\clsid\{d7b5394e-d013-3545-35d0-45376236a8dc}\ (4 subtraces) (ID = 120931)
5:31 PM: HKLM\software\classes\clsid\{d27dd7b4-a72b-4b66-2bd3-262b793a3c2c}\ (6 subtraces) (ID = 120941)
5:31 PM: HKLM\software\classes\clsid\{d85fbaa5-5f33-6173-d800-efd4e38ae63e}\ (6 subtraces) (ID = 120949)
5:31 PM: HKLM\software\classes\clsid\{d223f02d-058e-2cfe-d02d-81826009252b}\ (6 subtraces) (ID = 120951)
5:31 PM: HKLM\software\classes\clsid\{d605eaff-2c3a-4619-43c1-4ffb062f68de}\ (6 subtraces) (ID = 120957)
5:31 PM: HKLM\software\classes\clsid\{d4451521-f203-568e-2657-c5ad1f0b1f77}\ (2 subtraces) (ID = 120975)
5:31 PM: HKLM\software\classes\clsid\{db3ff0a6-7ad3-085e-3e59-a4318e82d4a8}\ (6 subtraces) (ID = 120993)
5:31 PM: HKLM\software\classes\clsid\{de064cf5-809e-a243-cc14-f5427e5967a1}\ (6 subtraces) (ID = 121020)
5:31 PM: HKLM\software\classes\clsid\{df74f87a-b7c0-f480-1d25-d81a257b3152}\ (6 subtraces) (ID = 121029)
5:31 PM: HKLM\software\classes\clsid\{dfc94122-75a0-85e3-3738-430a8b983c39}\ (6 subtraces) (ID = 121032)
5:31 PM: HKLM\software\classes\clsid\{e36a99d7-088f-a5e8-1ba4-87116d938d49}\ (2 subtraces) (ID = 121071)
5:31 PM: HKLM\software\classes\clsid\{e404f826-abe4-d856-61ba-bcbd539933f8}\ (2 subtraces) (ID = 121088)
5:31 PM: HKLM\software\classes\clsid\{e24280f1-5872-dd80-6349-14510dfcb851}\ (6 subtraces) (ID = 121099)
5:31 PM: HKLM\software\classes\clsid\{e365460d-7563-2763-5e38-85f172854eac}\ (6 subtraces) (ID = 121102)
5:31 PM: HKLM\software\classes\clsid\{e647591b-d33e-72b8-a7f0-9d55c2a7369d}\ (6 subtraces) (ID = 121105)
5:31 PM: HKLM\software\classes\clsid\{e9342878-fcea-230b-e4d2-5712935070ea}\ (25 subtraces) (ID = 121110)
5:31 PM: HKLM\software\classes\clsid\{eceaf197-b6ef-9e38-0846-ff3bb03983ad}\ (6 subtraces) (ID = 121136)
5:31 PM: HKLM\software\classes\clsid\{edb7ff48-2cc7-7131-a993-53c8f83dd550}\ (6 subtraces) (ID = 121142)
5:31 PM: HKLM\software\classes\clsid\{f0d9b410-3c4f-707c-2e2d-529e64aa2118}\ (2 subtraces) (ID = 121169)
5:31 PM: HKLM\software\classes\clsid\{f065e398-2acb-9034-8b2a-28a827ff521f}\ (6 subtraces) (ID = 121173)
5:31 PM: HKLM\software\classes\clsid\{f3dd5740-8c65-5ff3-1225-f170898543b8}\ (25 subtraces) (ID = 121183)
5:31 PM: HKLM\software\classes\clsid\{f6eb941e-9dcd-6e07-e139-d2ab90baae62}\ (6 subtraces) (ID = 121195)
5:31 PM: HKLM\software\classes\clsid\{f7dfcd4f-46cd-bda8-264c-0a68205f4979}\ (6 subtraces) (ID = 121199)
5:31 PM: HKLM\software\classes\clsid\{f704a16d-ba8a-0dd4-cb9e-f0fa4a957d8d}\ (6 subtraces) (ID = 121218)
5:31 PM: HKLM\software\classes\clsid\{f2352fd0-b78a-fc66-ee98-5dfbf99e1f48}\ (5 subtraces) (ID = 121227)
5:31 PM: HKLM\software\classes\clsid\{f317424c-8ecc-86c7-5e5b-7aa1bd81d1c4}\ (6 subtraces) (ID = 121236)
5:31 PM: HKLM\software\classes\clsid\{f6802757-10ab-dbc8-719a-c48394d31082}\ (6 subtraces) (ID = 121240)
5:31 PM: HKLM\software\classes\clsid\{fa986cde-0fa2-33a9-ecfd-8291dfa81985}\ (6 subtraces) (ID = 121245)
5:31 PM: HKLM\software\classes\clsid\{fb277f1b-89b6-a114-dd01-ec507a933f39}\ (2 subtraces) (ID = 121251)
5:31 PM: HKLM\software\classes\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (6 subtraces) (ID = 121261)
5:31 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{e9342878-fcea-230b-e4d2-5712935070ea}\ (1 subtraces) (ID = 123185)
5:31 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{f3dd5740-8c65-5ff3-1225-f170898543b8}\ (1 subtraces) (ID = 123226)
5:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\hsa\ (2 subtraces) (ID = 123379)
5:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\se\ (2 subtraces) (ID = 123380)
5:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sw\ (2 subtraces) (ID = 123381)
5:31 PM: Found Adware: cws_ns3 hijacker
5:31 PM: HKU\S-1-5-21-1093769409-3884940249-2795263750-500\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
5:31 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
5:31 PM: HKU\S-1-5-21-1093769409-3884940249-2795263750-500\software\microsoft\internet explorer\main\ || search page (ID = 123391)
5:31 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 123391)
5:31 PM: HKLM\software\microsoft\internet explorer\main\ || default_search_url (ID = 123394)
5:31 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 123395)
5:31 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 123396)
5:31 PM: HKU\S-1-5-21-1093769409-3884940249-2795263750-500\software\microsoft\internet explorer\search\ || searchassistant (ID = 123398)
5:31 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 123399)
5:31 PM: HKCR\clsid\{1c1f1b09-c5de-0c47-b128-b83f5668eb83}\ (2 subtraces) (ID = 123822)
5:31 PM: HKCR\clsid\{2a6a2eff-2fc6-683c-5911-bb1ac07e5964}\ (6 subtraces) (ID = 123826)
5:31 PM: HKCR\clsid\{5b9a8be3-69a5-661b-3bb5-fa99e29d5453}\ (6 subtraces) (ID = 123842)
5:31 PM: HKCR\clsid\{5c2b2d9c-60fc-5f4c-5894-68eb7dfa3935}\ (2 subtraces) (ID = 123845)
5:31 PM: HKCR\clsid\{7da446bf-5485-78f9-cc9a-2a02c93519e4}\ (6 subtraces) (ID = 123852)
5:31 PM: HKCR\clsid\{7dfa112f-21b6-72ce-a5de-09feaf22c151}\ (2 subtraces) (ID = 123853)
5:31 PM: HKCR\clsid\{8a0fedbb-3762-aeb7-e85e-6bcc16f76759}\ (6 subtraces) (ID = 123856)
5:31 PM: HKCR\clsid\{8d1df6ce-07e4-c211-83f6-537e054edc98}\ (6 subtraces) (ID = 123862)
5:31 PM: HKCR\clsid\{9b9d4a7d-1232-e364-432d-b58ecfae5af4}\ (6 subtraces) (ID = 123866)
5:31 PM: HKCR\clsid\{33ebb320-a2d5-6fd7-6d31-ba458c872abd}\ (2 subtraces) (ID = 123879)
5:31 PM: HKCR\clsid\{64ab146b-0c39-dec3-5aed-e2da773c655f}\ (6 subtraces) (ID = 123888)
5:31 PM: HKCR\clsid\{69c2d4b0-ce91-aab5-0bb5-4f75b848492d}\ (6 subtraces) (ID = 123892)
5:31 PM: HKCR\clsid\{226ef23f-8451-8515-bc02-3d0252c01453}\ (2 subtraces) (ID = 123906)
5:31 PM: HKCR\clsid\{497aeaf3-0f8f-a4b6-48f2-a80144d90604}\ (4 subtraces) (ID = 123915)
5:31 PM: HKCR\clsid\{59935bc1-5f4b-96f1-f3b6-c6b36821d102}\ (6 subtraces) (ID = 123942)
5:31 PM: HKCR\clsid\{a45c982e-5e8a-94c9-33a0-1f6e1789ac7e}\ (6 subtraces) (ID = 123957)
5:31 PM: HKCR\clsid\{a72caeb7-7e44-7941-564b-a741d28b01db}\ (6 subtraces) (ID = 123959)
5:31 PM: HKCR\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\ (6 subtraces) (ID = 123961)
5:31 PM: HKCR\clsid\{b7abd257-6e0c-e7f0-26f5-0315127e44c2}\ (6 subtraces) (ID = 123971)
5:31 PM: HKCR\clsid\{bfb13f83-4e3b-a3c3-d100-fee3424cd9c0}\ (6 subtraces) (ID = 123985)
5:31 PM: HKCR\clsid\{da826568-8230-c8bc-199c-3e738a0e5a48}\ (6 subtraces) (ID = 124012)
5:31 PM: HKCR\clsid\{eac3a0ef-0931-c087-dd54-10e2ce664097}\ (6 subtraces) (ID = 124027)
5:31 PM: HKCR\clsid\{f80f0d50-2d6c-75c3-606a-3dfe0f4fc5d0}\ (2 subtraces) (ID = 124034)
5:31 PM: HKCR\clsid\{f2903213-c2d0-b852-f56d-8b10d6c8c121}\ (2 subtraces) (ID = 124037)
5:31 PM: HKLM\software\classes\clsid\{1c1f1b09-c5de-0c47-b128-b83f5668eb83}\ (2 subtraces) (ID = 124057)
5:31 PM: HKLM\software\classes\clsid\{2a6a2eff-2fc6-683c-5911-bb1ac07e5964}\ (6 subtraces) (ID = 124061)
5:31 PM: HKLM\software\classes\clsid\{5b9a8be3-69a5-661b-3bb5-fa99e29d5453}\ (6 subtraces) (ID = 124077)
5:31 PM: HKLM\software\classes\clsid\{5c2b2d9c-60fc-5f4c-5894-68eb7dfa3935}\ (2 subtraces) (ID = 124079)
5:31 PM: HKLM\software\classes\clsid\{7da446bf-5485-78f9-cc9a-2a02c93519e4}\ (6 subtraces) (ID = 124086)
5:31 PM: HKLM\software\classes\clsid\{7dfa112f-21b6-72ce-a5de-09feaf22c151}\ (2 subtraces) (ID = 124087)
5:31 PM: HKLM\software\classes\clsid\{8a0fedbb-3762-aeb7-e85e-6bcc16f76759}\ (6 subtraces) (ID = 124090)
5:31 PM: HKLM\software\classes\clsid\{8d1df6ce-07e4-c211-83f6-537e054edc98}\ (6 subtraces) (ID = 124096)
5:31 PM: HKLM\software\classes\clsid\{9b9d4a7d-1232-e364-432d-b58ecfae5af4}\ (6 subtraces) (ID = 124099)
5:31 PM: HKLM\software\classes\clsid\{33ebb320-a2d5-6fd7-6d31-ba458c872abd}\ (2 subtraces) (ID = 124112)
5:31 PM: HKLM\software\classes\clsid\{64ab146b-0c39-dec3-5aed-e2da773c655f}\ (6 subtraces) (ID = 124120)
5:31 PM: HKLM\software\classes\clsid\{69c2d4b0-ce91-aab5-0bb5-4f75b848492d}\ (6 subtraces) (ID = 124124)
5:31 PM: HKLM\software\classes\clsid\{226ef23f-8451-8515-bc02-3d0252c01453}\ (2 subtraces) (ID = 124137)
5:31 PM: HKLM\software\classes\clsid\{497aeaf3-0f8f-a4b6-48f2-a80144d90604}\ (4 subtraces) (ID = 124146)
5:31 PM: HKLM\software\classes\clsid\{59935bc1-5f4b-96f1-f3b6-c6b36821d102}\ (6 subtraces) (ID = 124170)
5:31 PM: HKLM\software\classes\clsid\{98832348-0e38-d102-51a5-517934760119}\ (6 subtraces) (ID = 124179)
5:31 PM: HKLM\software\classes\clsid\{a45c982e-5e8a-94c9-33a0-1f6e1789ac7e}\ (6 subtraces) (ID = 124186)
5:31 PM: HKLM\software\classes\clsid\{a72caeb7-7e44-7941-564b-a741d28b01db}\ (6 subtraces) (ID = 124188)
5:31 PM: HKLM\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\ (6 subtraces) (ID = 124190)
5:31 PM: HKLM\software\classes\clsid\{b7abd257-6e0c-e7f0-26f5-0315127e44c2}\ (6 subtraces) (ID = 124201)
5:31 PM: HKLM\software\classes\clsid\{bfb13f83-4e3b-a3c3-d100-fee3424cd9c0}\ (6 subtraces) (ID = 124214)
5:31 PM: HKLM\software\classes\clsid\{da826568-8230-c8bc-199c-3e738a0e5a48}\ (6 subtraces) (ID = 124241)
5:31 PM: HKLM\software\classes\clsid\{eac3a0ef-0931-c087-dd54-10e2ce664097}\ (6 subtraces) (ID = 124255)
5:31 PM: HKLM\software\classes\clsid\{f80f0d50-2d6c-75c3-606a-3dfe0f4fc5d0}\ (2 subtraces) (ID = 124262)
5:31 PM: HKLM\software\classes\clsid\{f2903213-c2d0-b852-f56d-8b10d6c8c121}\ (2 subtraces) (ID = 124264)
5:31 PM: Found Trojan Horse: trojan-downloader-winshow
5:31 PM: HKCR\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\ (4 subtraces) (ID = 144887)
5:31 PM: HKLM\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\ (4 subtraces) (ID = 144894)
5:31 PM: Found Trojan Horse: trojan_downloader_tibser
5:31 PM: HKCR\clsid\{4ee6b1b9-e3c3-db03-16bb-541af46efca3}\ (6 subtraces) (ID = 145073)
5:31 PM: HKCR\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\ (6 subtraces) (ID = 145079)
5:31 PM: HKCR\clsid\{d29fdf9c-92f0-18bd-01ed-22a5dbb07081}\ (2 subtraces) (ID = 145087)
5:31 PM: HKCR\clsid\{e4c72eda-8bdb-7d77-0f8c-37f041df909d}\ (6 subtraces) (ID = 145088)
5:31 PM: HKLM\software\classes\clsid\{4ee6b1b9-e3c3-db03-16bb-541af46efca3}\ (6 subtraces) (ID = 145090)
5:31 PM: HKLM\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\ (6 subtraces) (ID = 145096)
5:31 PM: HKLM\software\classes\clsid\{d29fdf9c-92f0-18bd-01ed-22a5dbb07081}\ (2 subtraces) (ID = 145104)
5:31 PM: HKLM\software\classes\clsid\{e4c72eda-8bdb-7d77-0f8c-37f041df909d}\ (6 subtraces) (ID = 145105)
5:31 PM: Found Adware: tvmedia
5:31 PM: HKCR\clsid\{39036bd7-3708-ac69-49ca-78f80350cdf7}\ (6 subtraces) (ID = 145302)
5:31 PM: HKLM\software\classes\clsid\{39036bd7-3708-ac69-49ca-78f80350cdf7}\ (6 subtraces) (ID = 145306)
5:31 PM: Found Adware: winad
5:31 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (9 subtraces) (ID = 147185)
5:31 PM: Found Adware: psguard
5:31 PM: HKCR\clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}\ (ID = 487711)
5:31 PM: HKLM\software\classes\clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}\ (ID = 488236)
5:31 PM: HKLM\software\classes\clsid\{17e02586-a91d-4a9d-a74e-187b05dffe6f}\ (5 subtraces) (ID = 703881)
5:31 PM: HKLM\software\classes\clsid\{1bd98dfd-2da9-4c54-85d7-be03a0f9c487}\ (5 subtraces) (ID = 703887)
5:31 PM: HKLM\software\classes\clsid\{1c94ea51-3800-4f08-b5dc-a5b67823ffea}\ (5 subtraces) (ID = 703893)
5:31 PM: HKLM\software\classes\clsid\{20d1af34-6e19-42d8-af9f-bdfbe45c2454}\ (5 subtraces) (ID = 703899)
5:31 PM: HKLM\software\classes\clsid\{21e132c9-1f98-4151-bdad-7d9b49c60a8e}\ (5 subtraces) (ID = 703905)
5:31 PM: HKLM\software\classes\clsid\{23f7ad29-f51a-4ba1-be70-143b1cb25bd1}\ (5 subtraces) (ID = 703911)
5:31 PM: HKLM\software\classes\clsid\{2c59d5ec-6b91-4896-bd6f-5f121d87a7f8}\ (5 subtraces) (ID = 703917)
5:31 PM: HKLM\software\classes\clsid\{2f34e0e0-f0bb-477f-afb8-509262fa0ad1}\ (15 subtraces) (ID = 703923)
5:31 PM: HKLM\software\classes\clsid\{35ed274e-3f42-4a78-bbdc-3b7d73e85578}\ (5 subtraces) (ID = 703939)
5:31 PM: HKLM\software\classes\clsid\{3d74d140-f780-4ae3-8d6d-f8dc39107213}\ (5 subtraces) (ID = 703945)
5:31 PM: HKLM\software\classes\clsid\{49443d6e-ce4e-47a9-8deb-f5774ce14984}\ (15 subtraces) (ID = 703951)
5:31 PM: HKLM\software\classes\clsid\{52034ad2-914c-4634-b375-9299631e5525}\ (15 subtraces) (ID = 703967)
5:31 PM: HKLM\software\classes\clsid\{7702c521-76ae-42c0-a181-3b5a96c2eef7}\ (5 subtraces) (ID = 703983)
5:31 PM: HKLM\software\classes\clsid\{7adda344-1d36-4446-9f4b-b2351fb19efd}\ (15 subtraces) (ID = 703989)
5:31 PM: HKLM\software\classes\clsid\{7d98221e-af8f-4d29-8bb1-1dfabc288173}\ (15 subtraces) (ID = 704005)
5:31 PM: HKLM\software\classes\clsid\{9746b450-6064-4ec8-9480-72a289aa2237}\ (5 subtraces) (ID = 704021)
5:31 PM: HKLM\software\classes\clsid\{c5a40fce-0a0f-40ca-985e-661c28b5b431}\ (15 subtraces) (ID = 704027)
5:31 PM: HKLM\software\classes\clsid\{c7f22879-7151-4c71-8c50-9557afda66c6}\ (5 subtraces) (ID = 704043)
5:31 PM: HKLM\software\classes\clsid\{ca5e7959-60b5-47b7-80ac-1606309733f3}\ (5 subtraces) (ID = 704049)
5:31 PM: HKLM\software\classes\clsid\{ceabf027-6cdc-4d47-adf6-ac5d065826a6}\ (15 subtraces) (ID = 704055)
5:31 PM: HKLM\software\classes\clsid\{e5d78bd8-3874-4aa0-9d45-cfb79382c484}\ (15 subtraces) (ID = 704077)
5:31 PM: HKCR\clsid\{15dc7116-e58e-4395-a45a-a1c99b17c030}\ (6 subtraces) (ID = 704636)
5:31 PM: HKCR\clsid\{17e02586-a91d-4a9d-a74e-187b05dffe6f}\ (5 subtraces) (ID = 704643)
5:31 PM: HKCR\clsid\{1bd98dfd-2da9-4c54-85d7-be03a0f9c487}\ (5 subtraces) (ID = 704649)
5:31 PM: HKCR\clsid\{1c94ea51-3800-4f08-b5dc-a5b67823ffea}\ (5 subtraces) (ID = 704655)
5:31 PM: HKCR\clsid\{20d1af34-6e19-42d8-af9f-bdfbe45c2454}\ (5 subtraces) (ID = 704661)
5:31 PM: HKCR\clsid\{21e132c9-1f98-4151-bdad-7d9b49c60a8e}\ (5 subtraces) (ID = 704667)
5:31 PM: HKCR\clsid\{23f7ad29-f51a-4ba1-be70-143b1cb25bd1}\ (5 subtraces) (ID = 704673)
5:31 PM: HKCR\clsid\{2c59d5ec-6b91-4896-bd6f-5f121d87a7f8}\ (5 subtraces) (ID = 704679)
5:31 PM: HKCR\clsid\{2f34e0e0-f0bb-477f-afb8-509262fa0ad1}\ (15 subtraces) (ID = 704685)
5:31 PM: HKCR\clsid\{35ed274e-3f42-4a78-bbdc-3b7d73e85578}\ (5 subtraces) (ID = 704701)
5:31 PM: HKCR\clsid\{3d74d140-f780-4ae3-8d6d-f8dc39107213}\ (5 subtraces) (ID = 704707)
5:31 PM: HKCR\clsid\{49443d6e-ce4e-47a9-8deb-f5774ce14984}\ (15 subtraces) (ID = 704713)
5:31 PM: HKCR\clsid\{52034ad2-914c-4634-b375-9299631e5525}\ (15 subtraces) (ID = 704729)
5:31 PM: HKCR\clsid\{7702c521-76ae-42c0-a181-3b5a96c2eef7}\ (5 subtraces) (ID = 704745)
5:31 PM: HKCR\clsid\{7adda344-1d36-4446-9f4b-b2351fb19efd}\ (15 subtraces) (ID = 704751)
5:31 PM: HKCR\clsid\{7d98221e-af8f-4d29-8bb1-1dfabc288173}\ (15 subtraces) (ID = 704767)
5:31 PM: HKCR\clsid\{9746b450-6064-4ec8-9480-72a289aa2237}\ (5 subtraces) (ID = 704783)
5:31 PM: HKCR\clsid\{c5a40fce-0a0f-40ca-985e-661c28b5b431}\ (15 subtraces) (ID = 704789)
5:31 PM: HKCR\clsid\{c7f22879-7151-4c71-8c50-9557afda66c6}\ (5 subtraces) (ID = 704805)
5:31 PM: HKCR\clsid\{ca5e7959-60b5-47b7-80ac-1606309733f3}\ (5 subtraces) (ID = 704811)
5:31 PM: HKCR\clsid\{ceabf027-6cdc-4d47-adf6-ac5d065826a6}\ (15 subtraces) (ID = 704817)
5:31 PM: HKCR\clsid\{e0aa0493-c410-4cbd-b1db-1723374fa8e0}\ (5 subtraces) (ID = 704833)
5:31 PM: HKCR\clsid\{e5d78bd8-3874-4aa0-9d45-cfb79382c484}\ (15 subtraces) (ID = 704839)
5:31 PM: Registry Sweep Complete, Elapsed Time:00:00:15
5:31 PM: Starting Cookie Sweep
5:31 PM: Found Spy Cookie: addynamix cookie
5:31 PM: administrator@ads.addynamix[1].txt (ID = 2062)
5:31 PM: Found Spy Cookie: atlas dmt cookie
5:31 PM: administrator@atdmt[2].txt (ID = 2253)
5:31 PM: Found Spy Cookie: cnt cookie
5:31 PM: administrator@cnt[1].txt (ID = 2422)
5:31 PM: Found Spy Cookie: overture cookie
5:31 PM: administrator@perf.overture[1].txt (ID = 3106)
5:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:31 PM: Starting File Sweep
5:32 PM: c:\documents and settings\administrator\application data\shudder global limited (11 subtraces) (ID = -2147473536)
5:32 PM: c:\documents and settings\administrator\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
5:32 PM: c:\documents and settings\administrator\application data\winds_24 (ID = -2147481201)
5:32 PM: setuplog.txt:rkwswe (ID = 135288)
5:32 PM: q814995.log:zmomux (ID = 138517)
5:32 PM: netbl32.exe (ID = 135288)
5:32 PM: dhcpupg.log:ddzod (ID = 135984)
5:32 PM: kb842773.log:lamapg (ID = 138517)
5:32 PM: odbc.ini:tqsoqf (ID = 135288)
5:32 PM: sntgl.txt:awrnd (ID = 138517)
5:32 PM: com+.log:nkyyc (ID = 138517)
5:32 PM: wmsyspr9.prx:dhifz (ID = 138517)
5:32 PM: kb823182.log:ndsgth (ID = 135288)
5:32 PM: nqbob.txt:swqsmx (ID = 135288)
5:32 PM: cmsetacl.log:tzrrx (ID = 138517)
5:32 PM: mfcol32.exe (ID = 136491)
5:32 PM: mhttm.log:vsomgk (ID = 135984)
5:32 PM: d3xc.exe (ID = 136491)
5:32 PM: Warning: Failed to read file "c:\windows\:oqtnfu". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: eufin.log:csezi (ID = 135984)
5:32 PM: explorer.scf:udvxc (ID = 138517)
5:32 PM: kb890859.log:ywuno (ID = 138517)
5:32 PM: iedit.ini:qhttd (ID = 138517)
5:32 PM: appfk32.exe (ID = 136491)
5:32 PM: reglocs.old:sxicod (ID = 138517)
5:32 PM: iskps.log:wreqa (ID = 138517)
5:32 PM: iput.exe (ID = 143085)
5:32 PM: q329112.log:tvrpy (ID = 135984)
5:32 PM: q331958.log:dmawl (ID = 138517)
5:32 PM: phreq.log:hypkk (ID = 138517)
5:32 PM: netec32.exe (ID = 143085)
5:32 PM: addbp.exe (ID = 135984)
5:32 PM: awppu.txt:drysp (ID = 138517)
5:32 PM: ctdv10k1.cdf:snqmhm (ID = 138517)
5:32 PM: uywar.log:vcnai (ID = 135984)
5:32 PM: sbwin.ini:fdjrm (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:yshbe". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: wints32.exe (ID = 143085)
5:32 PM: rlxiv.dat:sowfk (ID = 135984)
5:32 PM: Found Adware: security iguard
5:32 PM: chmhelp.chm (ID = 75238)
5:32 PM: ierl32.exe (ID = 143085)
5:32 PM: cfqnd.log:tltvr (ID = 135984)
5:32 PM: kb828028.log:kczjb (ID = 138517)
5:32 PM: medblker.log:dtkmp (ID = 138517)
5:32 PM: dallt.log:pjccf (ID = 138517)
5:32 PM: hdupn.log:uhqzh (ID = 135984)
5:32 PM: ctdv10k2.cdf:hlcvw (ID = 138517)
5:32 PM: cror32.exe (ID = 135984)
5:32 PM: mzjdc.txt:yoyej (ID = 138517)
5:32 PM: vb.ini:xxoqh (ID = 138517)
5:32 PM: winnt32.log:rqrsc (ID = 138517)
5:32 PM: kb885884.log:jhgcn (ID = 138517)
5:32 PM: quicken.ini:rcnct (ID = 138517)
5:32 PM: hydys.dat:utrwq (ID = 135984)
5:32 PM: eljwv.txt:xlekj (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:cwjxoh". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: Warning: Failed to read file "c:\windows\". System Error. Code: 3.
The system cannot find the path specified
5:32 PM: appbg32.exe (ID = 138517)
5:32 PM: sdkhv32.exe (ID = 138517)
5:32 PM: netts32.exe (ID = 138517)
5:32 PM: efolu.log:ormnh (ID = 135984)
5:32 PM: phreq.log:eyows (ID = 135984)
5:32 PM: aufme.dat:zcrcq (ID = 138517)
5:32 PM: jhztx.txt:ayioe (ID = 135984)
5:32 PM: q815485.log:raicp (ID = 135984)
5:32 PM: mpaqd.txt:ybkcj (ID = 138517)
5:32 PM: imsins.bak:gvvln (ID = 135984)
5:32 PM: addfg32.exe (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\:dtroe". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: Warning: Failed to read file "c:\windows\:onvex". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: dmkdx.log:mzrmm (ID = 135984)
5:32 PM: d3lj.exe (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\:zuozil". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: hpqins01.dat:mdwew (ID = 138517)
5:32 PM: control.ini:qifjg (ID = 138517)
5:32 PM: hpzmdl01.dat:dceaa (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:cvolz". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: ivwsm.log:gcyxx (ID = 138517)
5:32 PM: auigv.log:hodxd (ID = 138517)
5:32 PM: nyqvj.log:autmt (ID = 138517)
5:32 PM: nhldr.log:nhius (ID = 138517)
5:32 PM: kb885836.log:hcenj (ID = 138517)
5:32 PM: fbkgd.log:ctbnr (ID = 135984)
5:32 PM: kb891781.log:xzsjt (ID = 138517)
5:32 PM: netfxocm.log:vgcgv (ID = 138517)
5:32 PM: kb893803.log:ztnwa (ID = 138517)
5:32 PM: popcinfo.dat:tmwib (ID = 138517)
5:32 PM: kb826939.log:rqnqa (ID = 135984)
5:32 PM: phreq.log:qbdok (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:mgmnqb". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: hdupn.log:jtnkw (ID = 138517)
5:32 PM: ivwsm.log:vkaqs (ID = 135984)
5:32 PM: exdfp.log:rcpit (ID = 138517)
5:32 PM: ykmyd.log:aprfo (ID = 138517)
5:32 PM: kb890859.log:flurim (ID = 138517)
5:32 PM: lktnj.txt:hiiyy (ID = 135984)
5:32 PM: wiaservc.log:dcoer (ID = 135984)
5:32 PM: kb893803.log:ckflg (ID = 138517)
5:32 PM: mozver.dat:ikoax (ID = 138517)
5:32 PM: vbaddin.ini:orwrn (ID = 138517)
5:32 PM: kb842773.log:gbazb (ID = 138517)
5:32 PM: quvzz.txt:dohcb (ID = 138517)
5:32 PM: gydsd.log:zgsnt (ID = 135984)
5:32 PM: kusbb.txt:gsulv (ID = 135984)
5:32 PM: addhf32.exe (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:hqalt". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: auigv.log:jujyq (ID = 138517)
5:32 PM: bnrrx.log:oyvau (ID = 138517)
5:32 PM: setuperr.log:znreha (ID = 135288)
5:32 PM: kb890923.log:ypbyi (ID = 135984)
5:32 PM: q331958.log:nkfrf (ID = 138517)
5:32 PM: ctdvaudy.cdf:tivru (ID = 138517)
5:32 PM: ypflj.txt:rrrlk (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:rglhj". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: mfcly.exe (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\:urnqw". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kb893066.log:hhepq (ID = 138517)
5:32 PM: eimve.log:hskfr (ID = 138517)
5:32 PM: msmqinst.log:ggftn (ID = 138517)
5:32 PM: vbaddin.ini:xlqcg (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:ghret". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: smscfg.ini:qsqej (ID = 138517)
5:32 PM: fnpai.txt:glppb (ID = 135984)
5:32 PM: ykmyd.log:jubse (ID = 135984)
5:32 PM: q329256.log:hqrge (ID = 138517)
5:32 PM: apiki32.exe (ID = 135984)
5:32 PM: kxmcn.log:rtjyb (ID = 135984)
5:32 PM: mldat.dat:qlzol (ID = 138517)
5:32 PM: orun32.isu:wzqum (ID = 138517)
5:32 PM: msmqinst.log:ojyerm (ID = 138517)
5:32 PM: dtcinstall.log:wvrqpq (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:qeipq". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kb838358.log:gvgfg (ID = 138517)
5:32 PM: hpoins03.dat:rohoo (ID = 138517)
5:32 PM: jhztx.txt:eekqe (ID = 138517)
5:32 PM: lwhum.log:rvvly (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\". System Error. Code: 3.
The system cannot find the path specified
5:32 PM: Warning: Failed to read file "c:\windows\:ethto". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kusbb.txt:ngmno (ID = 138517)
5:32 PM: hpzmdl01.dat:qhuqy (ID = 138517)
5:32 PM: nsw.log:rdshy (ID = 135984)
5:32 PM: msmqinst.log:zrwxf (ID = 138517)
5:32 PM: aucfg.ini:zumlg (ID = 135984)
5:32 PM: vjgqv.log:hvmeuf (ID = 135288)
5:32 PM: netul.exe (ID = 135984)
5:32 PM: tabletoc.log:amugz (ID = 138517)
5:32 PM: nteh32.exe (ID = 136491)
5:32 PM: dallt.log:zwyci (ID = 138517)
5:32 PM: knfcw.log:rkihx (ID = 138517)
5:32 PM: regopt.log:sytai (ID = 135984)
5:32 PM: upgrade.txt:eppkv (ID = 138517)
5:32 PM: crnk.exe (ID = 138517)
5:32 PM: sysqv32.exe (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:iullo". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: tniot.txt:balqk (ID = 138517)
5:32 PM: kb885836.log:bwybx (ID = 138517)
5:32 PM: msmqinst.log:xlajj (ID = 138517)
5:32 PM: ielj32.exe (ID = 138517)
5:32 PM: cdplayer.ini:mwkgk (ID = 135984)
5:32 PM: setuperr.log:dgtji (ID = 138517)
5:32 PM: cfqnd.log:gbnko (ID = 138517)
5:32 PM: hpimdl01.dat:yohll (ID = 138517)
5:32 PM: hydys.dat:ytuzn (ID = 138517)
5:32 PM: kb896422.log:pgiqy (ID = 138517)
5:32 PM: medblker.log:ktqus (ID = 135984)
5:32 PM: faxsetup.log:rbaai (ID = 138517)
5:32 PM: kb832418.log:wvdhx (ID = 135984)
5:32 PM: iis6.log:irgvig (ID = 135288)
5:32 PM: quicken.ini:doiph (ID = 138517)
5:32 PM: gogbo.log:rahel (ID = 135984)
5:32 PM: awppu.txt:wcuaa (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:ddwnm". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kb893066.log:lxwne (ID = 138517)
5:32 PM: hmqnp.txt:yidlg (ID = 138517)
5:32 PM: kb899588.log:azjpx (ID = 138517)
5:32 PM: mssh32.exe (ID = 138517)
5:32 PM: hmssb.txt:lcvjj (ID = 138517)
5:32 PM: kb890047.log:ashzr (ID = 138517)
5:32 PM: winzn32.exe (ID = 135984)
5:32 PM: uzkua.log:qrsinu (ID = 135984)
5:32 PM: tabletoc.log:wtfiz (ID = 138517)
5:32 PM: orncu.log:tmwqn (ID = 138517)
5:32 PM: lwhum.log:pkzrn (ID = 135984)
5:32 PM: jyrxp.log:vyrmq (ID = 135984)
5:32 PM: regopt.log:oclvy (ID = 135984)
5:32 PM: mfcic32.exe (ID = 138517)
5:32 PM: ntdv32.exe (ID = 138517)
5:32 PM: kb832418.log:mdzvk (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:irgifv". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kb893756.log:ycgsz (ID = 135984)
5:32 PM: uiypi.dat:dzraw (ID = 138517)
5:32 PM: q329256.log:rfthb (ID = 135984)
5:32 PM: d3er.exe (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\:jtfrk". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: upgrade.txt:zdpxf (ID = 135984)
5:32 PM: hpoins03.dat:rzbnv (ID = 138517)
5:32 PM: kb823182.log:zfayy (ID = 138517)
5:32 PM: Warning: Failed to read file "c:\windows\:hxnse". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: vb.ini:yxkga (ID = 138517)
5:32 PM: wmsetup10.log:vpwxy (ID = 138517)
5:32 PM: winnt32.log:fpttu (ID = 138517)
5:32 PM: quicken.ini:fdlmd (ID = 135984)
5:32 PM: orun32.ini:qvuiy (ID = 135984)
5:32 PM: kb838358.log:txjgz (ID = 135984)
5:32 PM: mzjdc.txt:lnfti (ID = 138517)
5:32 PM: orun32.ini:nwbpb (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\:lrcgb". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kb896423.log:mfwct (ID = 135984)
5:32 PM: lktnj.txt:cibnf (ID = 135984)
5:32 PM: control.ini:qoczn (ID = 135984)
5:32 PM: vjgqv.log:nqing (ID = 138517)
5:32 PM: zuozi.log:wsqvu (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\:iqkzj". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: Warning: Failed to read file "c:\windows\:yfiin". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: kb824920.log:aogor (ID = 135984)
5:32 PM: nhldr.log:qqeuf (ID = 138517)
5:32 PM: ctdv10k2.cdf:koucm (ID = 135984)
5:32 PM: Warning: Failed to read file "c:\windows\". System Error. Code: 3.
The system cannot find the path specified
5:32 PM: Warning: Failed to read file "c:\windows\:ooxmh". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:32 PM: ctdv10k1.cdf:dkzsj (ID = 135984)
5:32 PM: directx.log:rfzyy (ID = 135984)
5:32 PM: crsw.exe (ID = 138517)
5:33 PM: kb885884.log:rikkb (ID = 138517)
5:33 PM: dallt.log:koqie (ID = 135984)
5:33 PM: orncu.log:qmyxa (ID = 135984)
5:33 PM: appmb.exe (ID = 135984)
5:33 PM: Warning: Failed to read file "c:\windows\:rruts". System Error. Code:
  • 0

#24
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Let's see if this works now:

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Reboot and post the log. :tazz:
  • 0

#25
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ewido will nor run. I have uninstalled and reinstalled it and still nothing.


Logfile of HijackThis v1.99.1
Scan saved at 10:59:36 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\jons\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\maxni.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\maxni.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {C50E4BE1-5DBD-CF1C-E7DB-13BABB1AE884} - C:\WINDOWS\system32\atlee32.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...5e012/enter.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\ipnf32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#26
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#27
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Oops.. Double posted :tazz:

Edited by Rawe, 03 September 2005 - 02:42 AM.

  • 0

#28
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
the kaspersky log was to big to copy and paste so i sent it as a zipped attatchment!

Attached Files


  • 0

#29
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished.
  • 0

#30
burge1779

burge1779

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
my homepage is staying where i set it to, ad the pop-ups are still gone. i went ahead and ran spybot to see if it would delete the homesearch. it found it but it still would not remove it. i did this in normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 9:16:43 AM, on 9/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\maxni.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\maxni.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\maxni.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\maxni.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {C50E4BE1-5DBD-CF1C-E7DB-13BABB1AE884} - C:\WINDOWS\system32\atlee32.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPENABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...5e012/enter.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP