Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I need Help. Win Fixer is ticking me off [CLOSED]

Started by Yami Megami , Sep 05 2005 01:59 PM

This topic is locked

#1
Yami Megami

Posted 05 September 2005 - 01:59 PM

Member

Member
11 posts

I need to kill this thing... Win Fixer is messing up my computer and my mom ish gonna kill meh!

Logfile of HijackThis v1.99.1
Scan saved at 3:55:23 PM, on 09/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\pgkmtc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\hrpsc78u.exe
C:\WINDOWS\system32\??stem32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ueeu\adhp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\windows\system32\ppdxregp.exe
C:\WINDOWS\system32\rsysrr2d.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\NI.UWFX5\setup.exe
C:\Program Files\WinFixer 2005\WFX5.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\YWZ\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\WXQ\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\PYJ\aurareco.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\SDW\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\QTF\aurareco.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\ZNF\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\UWM\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\IBZ\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\GIH\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\MVC\aurareco.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\Temporary Directory 3 for VundoFix.zip\VundoFix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search...look=stmpl1&fw=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WebBho Class - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\se\v11\se.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Program Files\DealBar\BarLcher.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {B3F20DD8-9F63-C69E-47B5-C0D92B890EE7} - C:\WINDOWS\system32\acnt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar17.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
O4 - HKLM\..\Run: [qttjhgra] C:\WINDOWS\system32\vfpuxigw.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [hrpsc78u] C:\WINDOWS\system32\hrpsc78u.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [mdvfddw] C:\WINDOWS\system32\pgkmtc.exe r
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\ppdxregp.exe DO0605
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysrr2d.exe DO0605
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Rcl] C:\WINDOWS\system32\??stem32\wuauclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Program Files\WinFixer 2005\WFX5.exe" /scan
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysrr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho..._ap1001_sp2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...52/QDow_AS2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/diamond.cab
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - http://fad-1107.nyc1...mviewer_101.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll
O20 - AppInit_DLLs: repairs.dll,MsgPlusLoader.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o8480ihue8480.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#2
Trevuren

Posted 05 September 2005 - 02:01 PM

Old Dog

Retired Staff
18,699 posts

Hi Yami Megami and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

Click on My Controls at the top right hand corner of the window.
In the left hand column, click "View Topics"
If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

Run HijackThis
Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Regards,

Trevuren

#3
Yami Megami

Posted 05 September 2005 - 02:06 PM

Member

Topic Starter
Member
11 posts

Hello and thank you for helping me.

Logfile of HijackThis v1.99.1
Scan saved at 4:05:04 PM, on 09/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\pgkmtc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\hrpsc78u.exe
C:\WINDOWS\system32\??stem32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ueeu\adhp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\windows\system32\ppdxregp.exe
C:\WINDOWS\system32\rsysrr2d.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\NI.UWFX5\setup.exe
C:\Program Files\WinFixer 2005\WFX5.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\YWZ\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\WXQ\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\PYJ\aurareco.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\SDW\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\QTF\aurareco.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\ZNF\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\UWM\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\IBZ\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\GIH\aurareco.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\MVC\aurareco.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\RECOMM~1\v15\rh.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search...look=stmpl1&fw=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WebBho Class - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\se\v11\se.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Program Files\DealBar\BarLcher.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {B3F20DD8-9F63-C69E-47B5-C0D92B890EE7} - C:\WINDOWS\system32\acnt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar17.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
O4 - HKLM\..\Run: [qttjhgra] C:\WINDOWS\system32\vfpuxigw.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [hrpsc78u] C:\WINDOWS\system32\hrpsc78u.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [mdvfddw] C:\WINDOWS\system32\pgkmtc.exe r
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\ppdxregp.exe DO0605
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysrr2d.exe DO0605
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Rcl] C:\WINDOWS\system32\??stem32\wuauclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Program Files\WinFixer 2005\WFX5.exe" /scan
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysrr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho..._ap1001_sp2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...52/QDow_AS2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/diamond.cab
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - http://fad-1107.nyc1...mviewer_101.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll
O20 - AppInit_DLLs: repairs.dll,MsgPlusLoader.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o8480ihue8480.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#4
Trevuren

Posted 05 September 2005 - 02:18 PM

Old Dog

Retired Staff
18,699 posts

I think you have every program that is not recommended on your machine.

1. I want you to UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

WinFixer 2005
MessengerPlus 3
TV Media
VBouncer
SurfSidekick3

2. Now, using Windows Explorer, I need you to DELETE the following folder(s) and all their content:

C:\Program Files\WinFixer 2005
C:\Program Files\TVMedia
C:\Program Files\VBouncer
C:\Program Files\SurfSidekick3
C:\Program Files\MessengerPlus3

3. Restart your system.

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

#5
Yami Megami

Posted 05 September 2005 - 02:40 PM

Member

Topic Starter
Member
11 posts

I think I deleted everything heres my log:

Logfile of HijackThis v1.99.1
Scan saved at 4:40:22 PM, on 09/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\jeaxsw.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\wdskctl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hrpsc78u.exe
C:\windows\system32\ppdxregp.exe
C:\WINDOWS\system32\rsysrr2d.exe
C:\WINDOWS\system32\??stem32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ueeu\adhp.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rsysrr2d.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\rsysrr2d.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search...look=stmpl1&fw=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WebBho Class - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\se\v11\se.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Program Files\DealBar\BarLcher.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: (no name) - {9D555CE2-9203-9AF1-7555-CB09861374E3} - C:\WINDOWS\system32\wqjee.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar17.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
O4 - HKLM\..\Run: [qttjhgra] C:\WINDOWS\system32\vfpuxigw.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [hrpsc78u] C:\WINDOWS\system32\hrpsc78u.exe
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\ppdxregp.exe DO0605
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysrr2d.exe DO0605
O4 - HKLM\..\Run: [ytcddtz] C:\WINDOWS\system32\jeaxsw.exe r
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Rcl] C:\WINDOWS\system32\??stem32\wuauclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysrr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho..._ap1001_sp2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...52/QDow_AS2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/diamond.cab
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - http://fad-1107.nyc1...mviewer_101.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o8480ihue8480.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#6
Trevuren

Posted 05 September 2005 - 02:52 PM

Old Dog

Retired Staff
18,699 posts

You have the latest version of VX2.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then OPEN the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #"1" for Run Find Log by typing 1 and then pressing Enter.
This will scan your computer and it may appear as if nothing is happening, then, after a minute or 2, Notepad will open with a log.
Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Regards,

Trevuren

#7
Yami Megami

Posted 05 September 2005 - 02:56 PM

Member

Topic Starter
Member
11 posts

There you go

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o8480ihue8480.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
38bn6kar.dll Thu Jul 21 2005 4:49:46p A.... 81,920 80.00 K
acnt.dll Tue Aug 30 2005 12:37:34p ..... 122,880 120.00 K
browseui.dll Sat Jul 2 2005 10:11:28p A.... 1,019,904 996.00 K
cdfview.dll Sat Jul 2 2005 10:11:28p A.... 151,040 147.50 K
icm32.dll Tue Jun 28 2005 9:46:00p A.... 254,976 249.00 K
iepeers.dll Sat Jul 2 2005 10:11:28p A.... 251,392 245.50 K
inseng.dll Sat Jul 2 2005 10:11:28p A.... 96,256 94.00 K
kerberos.dll Wed Jun 15 2005 1:49:30p A.... 295,936 289.00 K
mfc71.dll Wed Jul 6 2005 5:17:28p A.... 1,060,864 1.01 M
mscms.dll Tue Jun 28 2005 9:46:00p A.... 74,240 72.50 K
mshtml.dll Tue Jul 19 2005 10:00:30p A.... 3,014,144 2.87 M
mshtmled.dll Sat Jul 2 2005 10:11:30p A.... 448,512 438.00 K
msrating.dll Sat Jul 2 2005 10:11:30p A.... 146,432 143.00 K
msssc.dll Thu Jul 7 2005 8:08:24a A.... 44 0.04 K
msvcp71.dll Wed Jul 6 2005 5:17:28p A.... 499,712 488.00 K
msvcr71.dll Wed Jul 6 2005 5:17:28p A.... 348,160 340.00 K
pngfilt.dll Sat Jul 2 2005 10:11:30p A.... 39,424 38.50 K
repairs.dll Fri Aug 19 2005 11:00:40a A.... 77,312 75.50 K
shdocvw.dll Sat Jul 2 2005 10:11:30p A.... 1,483,776 1.41 M
shlwapi.dll Sat Jul 2 2005 10:11:30p A.... 473,600 462.50 K
tapisrv.dll Fri Jul 8 2005 12:27:56p A.... 249,344 243.50 K
umpnpmgr.dll Wed Jun 29 2005 10:02:40p A.... 118,272 115.50 K
urlmon.dll Sat Jul 2 2005 10:11:30p A.... 607,744 593.50 K
wininet.dll Sat Jul 2 2005 10:11:30p A.... 658,432 643.00 K
wqjee.dll Tue Aug 30 2005 12:39:00p A.... 122,880 120.00 K

25 items found: 25 files, 0 directories.
Total of file sizes: 11,697,196 bytes 11.15 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
tmpmpt1.tmp Mon Sep 5 2005 9:15:56a A.... 1,734 1.69 K

1 item found: 1 file, 0 directories.
Total of file sizes: 1,734 bytes 1.69 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is A477-F5B3

Directory of C:\WINDOWS\System32

09/01/2005 08:55 PM <DIR> dllcache
07/14/2005 02:19 PM 0 o8480ihue8480.dll
02/21/2003 11:51 AM <DIR> Microsoft
1 File(s) 0 bytes
2 Dir(s) 67,546,017,792 bytes free

#8
Trevuren

Posted 05 September 2005 - 03:05 PM

Old Dog

Retired Staff
18,699 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing "2" and then pressing ENTER.
Then press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer.
When it's finished, Notepad will open with a log.
Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

Trevuren

#9
Yami Megami

Posted 05 September 2005 - 03:14 PM

Member

Topic Starter
Member
11 posts

Log From Reboot

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1184 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1364 'rundll32.exe'

Scanning First Pass. Please Wait!

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1272 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 348 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed

Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 2%)
adding: desktop.ini (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 68%)
adding: LOGFILE.txt (128 bytes security) (deflated 24%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 388 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 212 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (188 bytes security) (deflated 2%)
adding: cleanup.reg (188 bytes security) (deflated 45%)
updating: desktop.ini (188 bytes security) (stored 0%)
updating: lo2.txt (188 bytes security) (deflated 75%)
updating: LOGFILE.txt (128 bytes security) (deflated 24%)
updating: test.txt (188 bytes security) (stored 0%)
updating: test2.txt (188 bytes security) (stored 0%)
updating: test3.txt (188 bytes security) (stored 0%)
updating: test5.txt (188 bytes security) (stored 0%)
adding: AILog.txt (188 bytes security) (stored 0%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o8480ihue8480.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

#10
Yami Megami

Posted 05 September 2005 - 03:15 PM

Member

Topic Starter
Member
11 posts

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 5:14:22 PM, on 09/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\epwemwe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search...look=stmpl1&fw=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: WebBho Class - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\se\v11\se.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Program Files\DealBar\BarLcher.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: (no name) - {9D555CE2-9203-9AF1-7555-CB09861374E3} - C:\WINDOWS\system32\wqjee.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar17.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
O4 - HKLM\..\Run: [qttjhgra] C:\WINDOWS\system32\vfpuxigw.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [hrpsc78u] C:\WINDOWS\system32\hrpsc78u.exe
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\ppdxregp.exe DO0605
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysrr2d.exe DO0605
O4 - HKLM\..\Run: [jlxikkw] C:\WINDOWS\system32\epwemwe.exe r
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Rcl] C:\WINDOWS\system32\??stem32\wuauclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysrr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho..._ap1001_sp2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...52/QDow_AS2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/diamond.cab
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - http://fad-1107.nyc1...mviewer_101.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o8480ihue8480.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#11
Trevuren

Posted 05 September 2005 - 03:22 PM

Old Dog

Retired Staff
18,699 posts

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

1. Download Ewido Security Suite.

2. Download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in.

Install Ad-Aware using the default options.
Then install vx2cleaner_inst.exe, using all the defaults there as well.

3. Run Ad-Aware

Update to the latest definitions
Then click on Add-ons in the lefthand column.
Select VX2 Cleaner V2.0 and click Run Tool. Click "OK".
If something is found, click "Clean" as in the directions given.
Click "Close", and EXIT Ad-Aware.

4. Reboot your PC and run Ad-Aware again.

This time, click on the Start button in Ad-Aware
Select "Perform smart system scan" and click Next.
Once the scan finishes, click "Next" again.
Select all objects found ("right click anywhere in the list of found objects and click "Select All Objects").
Click "Next" one more time, then "OK" to confirm the removal.
You will be prompted to set Ad-Aware to run on reboot, click "OK".
Exit Ad-Aware
REBOOT your PC
When Ad-Aware starts up, click on "Start", then "Next".
Follow the steps above if anything is found, or click "Finish", then EXIT Ad-Aware.

5. For a final cleanup, please install and run Ewido.

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

6. Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Regards,

Trevuren

#12
Yami Megami

Posted 05 September 2005 - 04:46 PM

Member

Topic Starter
Member
11 posts

Sorry it took so long..Man that felt like 5 hours. Heres my Save Report... I wasnt sure on most of the stuff because I don't s'post to touch my mom's programs

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:41:05 PM, 09/05/2005
+ Report-Checksum: 4B595F3B

+ Scan result:

HKU\.DEFAULT\Software\intexp -> Spyware.IEPlugin : Ignored
HKU\.DEFAULT\Software\intexp\Config -> Spyware.IEPlugin : Ignored
HKU\.DEFAULT\Software\Updater -> Spyware.KeenValue : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\dsktb -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\dsktb\DesktopToolbar -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Hotbar -> Spyware.HotBar : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Hotbar\Hotbar -> Spyware.HotBar : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Hotbar\Hotbar\SF -> Spyware.HotBar : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00041A26-7033-432C-94C7-6371DE343822} -> Spyware.SearchEnhancement : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0421701D-CF13-4E70-ADF0-45A953E7CB8B} -> Spyware.SmartPops : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} -> Spyware.TVMedia : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{69135BDE-5FDC-4B61-98AA-82AD2091BCCC} -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8} -> Spyware.Dashbar : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Updater -> Spyware.KeenValue : Ignored
HKU\S-1-5-18\Software\intexp -> Spyware.IEPlugin : Ignored
HKU\S-1-5-18\Software\intexp\Config -> Spyware.IEPlugin : Ignored
HKU\S-1-5-18\Software\Updater -> Spyware.KeenValue : Ignored
[1764] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1376] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1636] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1632] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1684] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1704] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1996] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1864] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1100] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe -> Spyware.HotBar : Ignored
[1372] C:\WINDOWS\system32\hrpsc78u.exe -> Adware.Saha : Ignored
[368] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1496] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[984] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[1740] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[2160] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[2508] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
[2628] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@2o7[1].txt -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@advertising[1].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\steven kohler\Cookies\steven kohler@abetterinternet[3].txt -> Spyware.Cookie.Abetterinternet : Ignored
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][3].txt -> Spyware.Cookie.Yieldmanager : Ignored
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][2].txt -> Spyware.Cookie.Specificclick : Ignored
C:\Documents and Settings\steven kohler\Local Settings\Temp\temp.fr460C -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe -> Trojan.Zx.12 : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP255\A0057481.exe -> Adware.BetterInternet : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP255\A0057497.exe -> Adware.BetterInternet : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP255\A0057509.sys -> Trojan.Rootkit.Agent.af : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058858.exe -> Adware.BetterInternet : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058861.sys -> Trojan.Rootkit.Agent.af : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058895.exe -> Spyware.BargainBuddy : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058896.exe -> Adware.eXact : Ignored
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058897.exe -> Spyware.BargainBuddy : Ignored
HKLM\SOFTWARE\Classes\AppID\HbSrv.EXE -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\WeatherOnTray.EXE -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0507FDDE-F3B7-49F5-9E8F-C557E991F39B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{B701A705-F828-11D4-A466-00508B5BA2DF} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPClass -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPClass\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPClass\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPEnvelope -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPEnvelope\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPEnvelope\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPMessage -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPMessage\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPMessage\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPRecipients -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPRecipients\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ASAPCom.ASAPRecipients\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{175652E8-8BCC-47C4-B591-0D630F469C19} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{286E500C-EF0A-4AA3-A94D-E495F653EF4B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{319260AB-BE0C-4025-8569-7A27ED2FAAB9} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{354382DB-DF55-4DA9-85A3-41696A0F510F} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3CEB882D-6B2B-4D81-A544-9D9B1D6FA945} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8AC5BC54-B13B-4642-99F9-0BAA2D116184} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9809A6B4-70B1-4BB2-B3B5-B415763A534E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BECAFC17-BAF9-11D4-B492-00D0B77F0A6D} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D5178F77-C5E6-4E8F-9787-48B5D7ECCCE8} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D9882035-7745-47c7-8D5E-C11178F9C553} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EA232A0A-46F8-4D44-A30B-50321518A828} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{20D21E02-8C1C-41FE-9826-DAB4C223436C} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66291BEF-C867-43C0-A7B4-D13393814BCD} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EA232A0A-46F8-4D44-A30B-50321518A828} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{45397063-D7D0-47C2-9508-26487608A298} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5BA32D9E-F1BD-476C-AD42-97C9379A57A4} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71E9CF40-AF72-4B55-BD3F-1FEA2A0EAEA6} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71EFE583-62FE-4419-9918-CA3B683F7B36} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{793AF621-5CD0-4B92-B765-6712F6AAF48E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{9967A873-40F3-4C7E-9239-6C8760F19F61} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B5901229-25CC-43C9-B604-3BB6AC2B48A5} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B9F51D42-CCA0-4408-BB02-D433D1865A3A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{BCE2E826-D0F5-41C8-97BE-28A6F540CEEB} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C83DAED4-0611-4F7A-978E-7FEAFCB2F91B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F8EE014F-B34C-4544-8E45-95A7971D323B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{666DDE35-E955-11D0-A707-000000521958} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MirrorUnder -> Spyware.ClearSearch : Cleaned with backup
HKU\S-1-5-21-2005326317-2900621793-59585579-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
[1668] C:\Program Files\DealBar\BarLcher.dll -> Spyware.ActivShopper : Cleaned with backup
[952] C:\windows\system32\ppdxregp.exe -> Trojan.Zx.12 : Cleaned with backup
[2580] C:\WINDOWS\system32\38bn6kar.dll -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\guest@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][2].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@gamingpromo[1].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven kohler@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\steven kohler\Cookies\steven [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\steven kohler\Local Settings\Temp\ICD1.tmp\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\Documents and Settings\steven kohler\Local Settings\Temp\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\DealBar\BarLcher.dll -> Spyware.ActivShopper : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\Contact.dll -> Spyware.HotBar : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\SbGuard.exe -> Spyware.HotBar : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\SbHostOE.dll -> Spyware.HotBar : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\SbWeatherOnTray.exe -> Spyware.HotBar : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP255\A0057536.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP255\A0057551.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP255\A0057565.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP256\A0057577.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP256\A0057578.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0057668.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0057694.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0057710.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0058731.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0058734.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0058759.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0058776.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP257\A0058825.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058898.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058899.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058900.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058902.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058916.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP258\A0058931.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0058942.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0058956.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0058957.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0058959.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0058988.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0058989.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0059005.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0059006.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0059008.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0059996.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0060033.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP259\A0060050.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060054.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060070.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060071.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060073.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060077.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060090.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060102.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060105.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060114.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060115.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060117.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060140.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060167.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060184.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060185.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060200.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060201.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP260\A0060203.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060234.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060404.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060414.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060417.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060419.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060436.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060442.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060467.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060468.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060470.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060471.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060533.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060546.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060557.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060578.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060579.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060593.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060604.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060605.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060623.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP261\A0060629.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060651.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060652.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060663.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060707.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060708.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060711.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060714.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060733.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060734.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060760.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060766.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP262\A0060781.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060784.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060789.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060798.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060811.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060821.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060834.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060836.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060838.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP263\A0060851.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060855.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060857.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060871.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060881.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060882.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060895.dll -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060899.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060900.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060901.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060904.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060918.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060925.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060942.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060947.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060950.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060967.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060971.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP264\A0060972.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0060987.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0060988.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061026.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061027.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061030.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061033.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061063.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061106.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061107.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP265\A0061110.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061195.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061213.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061232.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061233.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061240.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061254.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061261.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061272.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061274.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061290.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061291.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061294.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP266\A0061296.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061304.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061317.dll -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061326.exe -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061327.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061332.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061334.dll -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061372.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061389.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061399.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061404.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061406.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0061414.dll -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062423.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062442.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062468.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062470.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062476.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062502.dll -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062518.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP267\A0062545.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP268\A0062550.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP268\A0062552.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP268\A0062563.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP268\A0062598.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP268\A0062611.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062632.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062635.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062651.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062676.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062707.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062756.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062771.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP269\A0062789.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP270\A0062790.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP270\A0062791.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP270\A0062807.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP270\A0062833.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062846.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062861.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062943.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062948.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062959.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062967.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062974.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0062991.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0063994.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064013.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064014.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064015.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064016.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064019.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064021.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064031.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064037.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064043.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064044.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP271\A0064047.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064057.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064059.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064097.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064100.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064123.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064127.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064128.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064131.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064136.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064137.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064138.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064139.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064140.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064141.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064142.dll -> Spyware.ImiBar : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064143.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064144.exe -> Spyware.Imiserverieplugin : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064146.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064147.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064169.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064171.exe -> Trojan.Stervis.d : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064172.dll -> Trojan.Agent.db : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064173.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064176.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064216.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064252.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064255.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064270.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064284.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP272\A0064286.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064296.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064299.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064300.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064301.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064318.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064332.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064341.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064387.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064400.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP273\A0064410.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064421.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064434.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064435.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064436.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064437.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064438.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064439.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064448.dll -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064475.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064503.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064514.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064520.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064535.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064670.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064678.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064683.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064689.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP274\A0064706.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP275\A0064707.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP275\A0064713.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP275\A0064715.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP275\A0064718.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP275\A0064723.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP275\A0064730.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP276\A0064755.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP276\A0064764.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP276\A0064767.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP276\A0064773.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP276\A0064787.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP276\A0064799.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06

#13
Yami Megami

Posted 05 September 2005 - 04:46 PM

Member

Topic Starter
Member
11 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:44:28 PM, on 09/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\rsysrr2d.exe
C:\WINDOWS\system32\??stem32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ueeu\adhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rsysrr2d.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\windows\system32\ppdxregp.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\rsysrr2d.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Program Files\DealBar\BarLcher.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: (no name) - {9D555CE2-9203-9AF1-7555-CB09861374E3} - C:\WINDOWS\system32\wqjee.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysrr2d.exe DO0605
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\ppdxregp.exe DO0605
O4 - HKCU\..\Run: [Rcl] C:\WINDOWS\system32\??stem32\wuauclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysrr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho..._ap1001_sp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o8480ihue8480.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#14
Trevuren

Posted 05 September 2005 - 04:58 PM

Old Dog

Retired Staff
18,699 posts

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:
- Go to start>control panel>folder options>view (tab)
- Choose to "show hidden files and folders,"
- Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
- Close the window with ok
Please RUN HijackThis.
. Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: (no name) - {9D555CE2-9203-9AF1-7555-CB09861374E3} - C:\WINDOWS\system32\wqjee.dll
O3 - Toolbar: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SpamBlockerUtility\Bin\4.6.1.0\SBInst.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysrr2d.exe DO0605
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\ppdxregp.exe DO0605
O4 - HKCU\..\Run: [Rcl] C:\WINDOWS\system32\??stem32\wuauclt.exe
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysrr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho..._ap1001_sp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0006.exe
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o8480ihue8480.dll
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode
- Restart the computer.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe mode menu item
- Press Enter.
Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

C:\PROGRAM Files\SpamBlockerUtility<===Folder
C:\WINDOWS\system32\rsysrr2d.exe
C:\WINDOWS\system32\??stem32<==Folder, be careful, folder within a folder. The first folder "system32" must stay.
C:\Program Files\ueeu<==Folder
c:\windows\system32\ppdxregp.exe
C:\WINDOWS\dsr.dll
C:\WINDOWS\system32\communicator.dll
C:\WINDOWS\system32\qlink32.dll
C:\WINDOWS\system32\wqjee.dll
C:\WINDOWS\ttupt.exe
C:\WINDOWS\system32\stb.exe
C:\Documents and Settings\steven kohler\Local Settings\Temp\zxinst12.exe
C:\WINDOWS\system32\o8480ihue8480.dll
Exit Explorer, and REBOOT BACK INTO NORMAL MODE
Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

#15
Yami Megami

Posted 05 September 2005 - 05:00 PM

Member

Topic Starter
Member
11 posts

I have to go now but Ill finish everything up early tomarrow morning. Thank you Very much for the help Trev and Ill see you tomarrow.

Thanks again, Kasumi