Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ad.yieldmanager.com [RESOLVED]

Started by cyrawhite , Aug 31 2005 10:23 PM

This topic is locked

#1
cyrawhite

Posted 31 August 2005 - 10:23 PM

Member

Member
96 posts

I keep getting this popups from http://ads.yieldmanager.com. I'm trying to get rid of them. I also keep getting other internet explorer popups, and registry cleaner popups. Here is my Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:21:38 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\tttr\brst.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zfextxleo...9qlqxMnANAp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasear...arch.php?ref=sb
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.lztmoacnm...JylOkJb/I.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [rabujof] C:\WINDOWS\rabujof.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [PAGaUA6] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [kGfJZb8N] C:\documents and settings\cyramitchell\local settings\temp\kGfJZb8N.exe
O4 - HKLM\..\Run: [ggRZ] C:\documents and settings\cyramitchell\local settings\temp\ggRZ.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CBC] C:\documents and settings\cyramitchell\local settings\temp\CBC.exe
O4 - HKLM\..\Run: [s] C:\documents and settings\cyramitchell\local settings\temp\s.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Qkkhiecv] C:\Program Files\Agfemc\Kmpp.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [¢‰¸K0ÔÁß]§ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [ZZQqTwr.exe] c:\windows\system32\ZZQqTwr.exe
O4 - HKLM\..\Run: [update] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\Run: [rPXhaw1EF] C:\windows\system32\rPXhaw1EF.exe
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [ZEFHX1ow] C:\PROGRA~1\voqxsqxv\d0RDAsBN.exe
O4 - HKLM\..\Run: [dMFJYAow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RIVJY5Ux] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cEpGTAow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZAFGW1ox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bQ0GXkEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZYFHWcUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ak0HSwov] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cMVJZ1ox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [awVGV9Uw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YAVJU9Ux] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ewFJTcov] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YwVGT51v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RwVGSAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dEFGR11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dAFJUgEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dEpHZA1v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [aYpGWAov] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bkFHZ1Ex] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dQFJZAUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fA0HQcUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RgVJU1ow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YwFGYo1w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YMFGQo1w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dE0GT11x] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cYVJTs1x] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fAFHUAEx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QQVGVAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cIFJX9Uw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZgFHV51w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [aEpHU9Ew] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cIFGU51v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YEVJSkEx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fQ0GWwUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZEFHRgUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [eYFJWs1w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZkVHZgUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QE0HQwUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Rg0GSwEx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fgFHU11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [egVJRwow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YQFGT1Ux] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bUVHYoEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bk0HQ11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YQVHQwox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dAFGRwUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QAVJUcEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RI0GQ9Ex] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [ZQFHY11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dQVHUg1v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [egpHV9Uw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [egFGS11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [bgVJT1ox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QIFHVcUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZMFJUAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [deletemailmemostore] C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\remote hope.exe
O4 - HKLM\..\Run: [ZMFJXoUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ak0GT5Ew] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [CakeRoamNurbStart] C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\Ante Safe.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Grey link] C:\DOCUME~1\CYRAMI~1\APPLIC~1\GREATD~1\16 Web Third.exe
O4 - HKCU\..\Run: [Dict] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Srno] C:\Program Files\tttr\brst.exe
O4 - Global Startup: LimeWire 4.0.7.lnk = C:\Program Files\LimeWire\LimeWire 4.0.7\LimeWire.exe
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aplsp.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...nnerInstall.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Any help would be greatly appreciated!

#2
Crustyoldbloke

Posted 01 September 2005 - 02:43 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello Cyra and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated; in fact this is the worst log I have seen for quite a while. You are in danger of losing your internet access, so I’ll deal with that part first. Let’s see what we can do with the first sweep.

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSP Fix
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of aplsp.dll
5. Select every instance of aplsp.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Now that part is over, and hopefully you can see this web page, let’s continue.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CWShredder
CCleaner
Ewido Security Suite
Ad-Aware
cwsserviceemove.reg file

Install Ad-Aware and launch it.

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Install Ewido Security Suite.

Install Ewido security suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.

The programme will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

Now that the updates have been installed do the following:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with Ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If Ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop and include it in your reply.

Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zfextxleo...9qlqxMnANAp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasear...arch.php?ref=sb
O3 - Toolbar: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [rabujof] C:\WINDOWS\rabujof.exe
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [PAGaUA6] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [kGfJZb8N] C:\documents and settings\cyramitchell\local settings\temp\kGfJZb8N.exe
O4 - HKLM\..\Run: [ggRZ] C:\documents and settings\cyramitchell\local settings\temp\ggRZ.exe
O4 - HKLM\..\Run: [s] C:\documents and settings\cyramitchell\local settings\temp\s.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁz î[ 8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [Qkkhiecv] C:\Program Files\Agfemc\Kmpp.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú" ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [¢‰¸K0ÔÁß]§ú" ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [ZZQqTwr.exe] c:\windows\system32\ZZQqTwr.exe
O4 - HKLM\..\Run: [update] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\Run: [rPXhaw1EF] C:\windows\system32\rPXhaw1EF.exe
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú" ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmqwiun.exe
O4 - HKLM\..\Run: [ZEFHX1ow] C:\PROGRA~1\voqxsqxv\d0RDAsBN.exe
O4 - HKLM\..\Run: [dMFJYAow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RIVJY5Ux] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cEpGTAow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZAFGW1ox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bQ0GXkEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZYFHWcUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ak0HSwov] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cMVJZ1ox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [awVGV9Uw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YAVJU9Ux] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ewFJTcov] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YwVGT51v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RwVGSAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dEFGR11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dAFJUgEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dEpHZA1v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [aYpGWAov] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bkFHZ1Ex] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dQFJZAUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fA0HQcUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RgVJU1ow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YwFGYo1w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YMFGQo1w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dE0GT11x] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cYVJTs1x] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fAFHUAEx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QQVGVAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cIFJX9Uw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZgFHV51w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [aEpHU9Ew] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [cIFGU51v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YEVJSkEx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fQ0GWwUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZEFHRgUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [eYFJWs1w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZkVHZgUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QE0HQwUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Rg0GSwEx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [fgFHU11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [egVJRwow] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YQFGT1Ux] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bUVHYoEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bk0HQ11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [YQVHQwox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dAFGRwUx] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QAVJUcEw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [RI0GQ9Ex] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZQFHY11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [dQVHUg1v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [egpHV9Uw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [egFGS11v] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [bgVJT1ox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [QIFHVcUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZMFJUAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [deletemailmemostore] C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\remote hope.exe
O4 - HKLM\..\Run: [ZMFJXoUw] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ak0GT5Ew] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [CakeRoamNurbStart] C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\Ante Safe.exe
O4 - HKCU\..\Run: [Grey link] C:\DOCUME~1\CYRAMI~1\APPLIC~1\GREATD~1\16 Web Third.exe
O4 - HKCU\..\Run: [Dict] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Srno] C:\Program Files\tttr\brst.exe
O4 - Global Startup: LimeWire 4.0.7.lnk = C:\Program Files\LimeWire\LimeWire 4.0.7\LimeWire.exe
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...nnerInstall.cab

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\
C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\
C:\DOCUME~1\CYRAMI~1\APPLIC~1\GREATD~1\
C:\Program Files\LimeWire\
C:\PROGRA~1\voqxsqxv\

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\tttr\brst.exe
C:\Program Files\Window Active\winactive.exe
C:\WINDOWS\rabujof.exe
C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
C:\WINDOWS\cmqwiun.exe
C:\WINDOWS\wdskctl.exe
C:\documents and settings\cyramitchell\local settings\temp\kGfJZb8N.exe
C:\documents and settings\cyramitchell\local settings\temp\ggRZ.exe
C:\documents and settings\cyramitchell\local settings\temp\s.exe
C:\Program Files\Agfemc\Kmpp.exe
c:\windows\system32\ZZQqTwr.exe
C:\WINDOWS\System32\update.exe
C:\windows\system32\rPXhaw1EF.exe
c:\windows\system32\aplsp.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log and I will take another look.

#3
cyrawhite

Posted 01 September 2005 - 05:31 PM

Member

Topic Starter
Member
96 posts

Thanks for your help. Here is my latest log. I haven't received any of those ad.yieldmanager.com popups. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 2:02:35 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.doyiffjjv...qlqxMnANAp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.lztmoacnm...JylOkJb/I.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CBC] C:\documents and settings\cyramitchell\local settings\temp\CBC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZMFJUAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Thanks again.

#4
Crustyoldbloke

Posted 01 September 2005 - 06:18 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Cyra

I wish I could have seen the Ewido report as requested. If you still have it saved, please include it in your next reply. If you don’t have it, I will just guess and err on the side of safety.

Please ensure that you disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Spyware Begone is also running. Please disable this programme too. You may like to read this article also: http://www.spywarewa...nti-spyware.htm

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.doyiffjjv...qlqxMnANAp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [ZMFJUAox] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and I will take another look.

#5
cyrawhite

Posted 01 September 2005 - 09:14 PM

Member

Topic Starter
Member
96 posts

I tried everything again. Thanks here is the Ewido Report and the Hijack this report

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:48:02 PM, 9/1/2005
+ Report-Checksum: 5DB9F582

+ Scan result:

HKLM\SYSTEM\CurrentControlSet\Services\WinIK -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* -> Spyware.CommonName : Error during cleaning
C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys -> Trojan.Rootkit.Agent.q : Error during cleaning
C:\Program Files\voqxsqxv\cnml.exe -> Spyware.CommonName : Error during cleaning
C:\Documents and Settings\cyramitchell\Local Settings\Temp\!update.exe -> TrojanDownloader.PurityScan.ai : Cleaned with backup
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\1QY0X3PF\!update-2495[1].0000 -> TrojanDownloader.PurityScan.ai : Cleaned with backup
C:\Documents and Settings\cyramitchell\Cookies\cyramitchell@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\cyramitchell\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108461.exe -> TrojanDownloader.PurityScan.ah : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 8:01:59 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ghjzcahnw...9qlqxMnANAp.jsp
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.lztmoacnm...JylOkJb/I.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\a

#6
Crustyoldbloke

Posted 02 September 2005 - 01:46 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Cyra

That Ewido log is scary and I'm afraid that only a partial HJT log is posted, so I can't see too much from it, however Ewido points to a rootkit infection, so we best find it. Please ensure you run this tool in normal mode.

Please download Rootkit Revealer (link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Could I also have a fresh, full HJT log please?

#7
cyrawhite

Posted 02 September 2005 - 10:44 AM

Member

Topic Starter
Member
96 posts

Here is the Rootkit Revealer information. below that you will find a new HJT log. Thanks

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 9/2/2005 8:54 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 9/2/2005 8:54 AM 16 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\cyramitchell\Cookies\cyramitchell@msn[1].txt 9/2/2005 9:04 AM 537 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Cookies\cyramitchell@msn[2].txt 9/2/2005 7:35 AM 538 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\cyramitchell\Cookies\[email protected][1].txt 9/2/2005 8:59 AM 528 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Cookies\cyramitchell@winfixer[2].txt 9/2/2005 8:58 AM 141 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\063LIF2Y\checksoft[1].js 9/2/2005 8:58 AM 1.77 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\063LIF2Y\ico2[1].gif 9/2/2005 8:59 AM 307 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\063LIF2Y\spacer[1].gif 9/2/2005 8:58 AM 43 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\063LIF2Y\top1[1].gif 9/2/2005 8:59 AM 347 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\GZLC8QQ6\bar[1].gif 9/2/2005 8:58 AM 5.33 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\GZLC8QQ6\ico1[1].gif 9/2/2005 8:59 AM 137 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\GZLC8QQ6\ico5[1].gif 9/2/2005 8:59 AM 294 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\GZLC8QQ6\top_pic_new[1].gif 9/2/2005 8:58 AM 7.29 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\M70B57S7\ico3[1].gif 9/2/2005 8:59 AM 303 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\M70B57S7\styles[1].css 9/2/2005 8:58 AM 4.57 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\M70B57S7\top1_menu[1].gif 9/2/2005 8:59 AM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\M70B57S7\win_fixer_banner[1].swf 9/2/2005 8:59 AM 4.56 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\XSSF9ZJM\button2[1].gif 9/2/2005 8:59 AM 4.08 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\XSSF9ZJM\functions.js[1].htm 9/2/2005 8:58 AM 1.14 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\XSSF9ZJM\ico4[1].gif 9/2/2005 8:59 AM 232 bytes Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\XSSF9ZJM\index[3].htm 9/2/2005 8:58 AM 7.24 KB Hidden from Windows API.
C:\Documents and Settings\cyramitchell\Local Settings\Temporary Internet Files\Content.IE5\XSSF9ZJM\logo[1].gif 9/2/2005 8:59 AM 3.52 KB Hidden from Windows API.

Logfile of HijackThis v1.99.1
Scan saved at 9:43:31 AM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\CYRAMI~1\LOCALS~1\Temp\Temporary Directory 1 for RootkitRevealer.zip\RootkitRevealer.exe
C:\DOCUME~1\CYRAMI~1\LOCALS~1\Temp\Temporary Directory 2 for RootkitRevealer.zip\RootkitRevealer.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zfextxleo...9qlqxMnANAp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.lztmoacnm...JylOkJb/I.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CBC] C:\documents and settings\cyramitchell\local settings\temp\CBC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Grey link] C:\DOCUME~1\CYRAMI~1\APPLIC~1\GREATD~1\16 Web Third.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#8
Crustyoldbloke

Posted 02 September 2005 - 11:28 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Cyra

Nothing spectacular from RootKit Revealer, which is strange since Ewido was full of bad stuff. Please confirm that this is a single identity PC.

Please visit Kaspersky for an online scan. Please submit the log in your reply.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zfextxleo...9qlqxMnANAp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.lztmoacnm...JylOkJb/I.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [CBC] C:\documents and settings\cyramitchell\local settings\temp\CBC.exe
O4 - HKCU\..\Run: [Grey link] C:\DOCUME~1\CYRAMI~1\APPLIC~1\GREATD~1\16 Web Third.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\DOCUME~1\CYRAMI~1\APPLIC~1\GREATD~1\
C:\PROGRA~1\voqxsqxv\

Please delete these files (if present) using Windows Explorer:

C:\documents and settings\cyramitchell\local settings\temp\CBC.exe

Close Windows Explorer and Reboot normally

Please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and I will take another look.

#9
cyrawhite

Posted 02 September 2005 - 07:04 PM

Member

Topic Starter
Member
96 posts

hello again. I tried deleting C:\PROGRA~1\voqxsqxv\, but it said it was protected. The only users on the computer is myself and administrator(guest), but we never use it. My husband use to have a profile, but doesn't any more. Here are the latest logs

this is from kaspersky
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 02, 2005 17:23:03
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/09/2005
Kaspersky Anti-Virus database records: 138693
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\CYRAMI~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 16996
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 2406 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys Infected: Rootkit.Win32.Agent.q
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\screload-mamma.exe Infected: Trojan-Downloader.Win32.Vivia.l
C:\WINDOWS\Downloaded Program Files\screload-mamma.exe Infected: Trojan-Downloader.Win32.Vivia.l
C:\DOCUME~1\CYRAMI~1\LOCALS~1\Temp\htkvfsax.exe Infected: Trojan-Downloader.Win32.Swizzor.co

Scan process completed.

Here is HJT report
Logfile of HijackThis v1.99.1
Scan saved at 5:50:57 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zfextxleo...9qlqxMnANAp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#10
Crustyoldbloke

Posted 03 September 2005 - 02:19 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Cyra

Firstly could you please disable Ewido Guard from running during the fix, it may just hinder our attempts to change anything.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zfextxleo...9qlqxMnANAp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qhkclejupsrks...gmJylOkJb/I.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\screload-mamma.exe
C:\WINDOWS\Downloaded Program Files\screload-mamma.exe C:\DOCUME~1\CYRAMI~1\LOCALS~1\Temp\htkvfsax.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.

#11
cyrawhite

Posted 03 September 2005 - 10:38 AM

Member

Topic Starter
Member
96 posts

here is the latest log. for some reason i can't get rid of Netscape and that other one. I disabled Ewido, but it is still showing up on the processes on the HJT log. Thanks again. I notice my computer is running a lot better also

Logfile of HijackThis v1.99.1
Scan saved at 9:33:52 AM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#12
Crustyoldbloke

Posted 03 September 2005 - 11:13 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

Don't worry about the Ewido entry in the running procresses; that's just the updater and not the guard. BTW, Spyware Begone is a rogue programme. Have a look: http://www.spywarewa...nti-spyware.htm

The Netscape entry is OK now that the rubbish has gone, but we can try one more time if you don't want it. The Trojan seems resistent. What happens when you try to delete the folder?

Anyway, we appear to be winning. I want to use the Killbox again in all three different modes, Standard File Kill, Delete on Reboot, Replace on Reboot with use dummy. One of them should work.

Please set your system to show all files;
please see here if you're unsure how to do this.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following file and folder, and delete the file first and then the folder:

C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe

Exit Explorer, and reboot as normal afterwards.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Standard File Kill, Delete on Reboot, Replace on Reboot use Dummy option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post another fresh HJT log please.

#13
cyrawhite

Posted 03 September 2005 - 12:11 PM

Member

Topic Starter
Member
96 posts

Hi. Here is what i get when I try to delete C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe, it says file doesn't exist, access denied. I look under the folder voqxsqxv and can't find ZYwCE8hM.exe. but it still keeps coming up. Here is my latest log. Thanks again
Logfile of HijackThis v1.99.1
Scan saved at 11:10:44 AM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#14
Crustyoldbloke

Posted 03 September 2005 - 12:25 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

It is almost as though something is protecting your registry. It is possible that the file does not exist, but then why is the registry not updating. You have disabled all the real-time runners. Let's try this:

Download:WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart Normally and post the contents of WinPFind.txt

#15
cyrawhite

Posted 03 September 2005 - 05:59 PM

Member

Topic Starter
Member
96 posts

Here is what I got. Thanks

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PTech 10/31/2003 11:27:58 PM H 2675742 C:\kyf.dat
UPX! 9/15/2003 6:35:46 PM 205824 C:\BundleWare.exe
UPX! 11/19/2003 10:16:42 PM 210944 C:\updt.exe
UPX! 11/23/2003 3:13:56 PM 249856 C:\winupdt.exe

Checking %ProgramFilesDir% folder...
UPX! 7/9/2004 7:27:34 PM 672776 C:\Program Files\DLM_2100004_ENU.exe

Checking %WinDir% folder...

Checking %System% folder...
PECompact2 8/4/2005 6:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 6:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 8/18/2003 11:00:08 AM 55467 C:\WINDOWS\SYSTEM32\KLLNVXYT.EXE
PEC2 3/31/2003 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 3/31/2003 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 6/15/2004 9:00:48 PM 51200 C:\WINDOWS\SYSTEM32\inetkwschk.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/3/2005 12:42:24 PM S 2048 C:\WINDOWS\bootstat.dat
8/30/2005 9:35:28 AM RHS 401408 C:\WINDOWS\SYSTEM32\w?wexec.exe
8/30/2005 6:20:54 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\2d01516c-6624-45b9-887e-d9f3bc3cf9cc
8/30/2005 6:20:56 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
7/29/2005 4:52:00 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/29/2005 4:52:00 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\dd1ea8a4-0bb2-425f-a0ff-9a7a3ecc36a8
9/3/2005 12:41:20 PM H 688128 C:\WINDOWS\SYSTEM32\config\system.LOG
9/3/2005 12:41:20 PM H 57344 C:\WINDOWS\SYSTEM32\config\software.LOG
9/3/2005 12:41:20 PM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG
9/3/2005 12:42:54 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
9/3/2005 12:42:24 PM H 16384 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
8/11/2005 3:03:52 AM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
8/19/2005 2:55:02 PM HS 102400 C:\WINDOWS\All Users\DRM\drmstore.hds
9/3/2005 12:00:02 PM H 254 C:\WINDOWS\Tasks\AFFB914B91840283.job
9/3/2005 12:40:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
9/3/2005 12:00:02 PM H 290 C:\WINDOWS\Tasks\A972B66B902D2843.job
9/3/2005 12:00:02 PM H 290 C:\WINDOWS\Tasks\E036D59597659BA5.job
7/23/2005 10:46:50 AM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_53.cab

Checking for CPL files...
RealNetworks, Inc. 5/26/2004 3:05:16 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Apple Computer, Inc. 6/20/2001 4:34:36 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/24/2003 8:38:10 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/24/2003 8:21:36 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/6/2005 11:37:54 AM 7454 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
12/24/2003 8:38:10 PM HS 84 C:\Documents and Settings\cyramitchell\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/24/2003 8:21:36 PM HS 62 C:\Documents and Settings\cyramitchell\Application Data\desktop.ini
7/23/2005 11:47:08 AM 49400 C:\Documents and Settings\cyramitchell\Application Data\GDIPFONTCACHEV1.DAT
PTech 6/6/2005 5:08:12 PM H 55244 C:\Documents and Settings\cyramitchell\Application Data\ptads.bin

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{BEE2AF47-86FF-4904-9F53-3150AF000826} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Microsoft SearchBand = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mc