Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

continuous pop-up's


  • Please log in to reply

#1
tsav413

tsav413

    Member

  • Member
  • PipPip
  • 10 posts
Hello-

This is my first time at this forum. I am desperate and have heard of the success that comes from here. In short, my problem is pop-ups and/or spyware.

I have run Norton, ANTIVIR, Trojan Detector and AdAwareSE. I have tried everything, but unsuccessful so far. For some reason, I believe that my problem lies in my system restore files. Its just a hunch, but Im unable to find the problem. I ran HiJackThis and pasted below is my logfile. If anyone can provide any info, it would be greatly appreciated. I await a reply and thank you in advance

Tony

Logfile of HijackThis v1.99.1
Scan saved at 3:09:37 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.235\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VizController Class - {0F9CECE1-0306-4BB0-8BEF-C9EA3841E38A} - C:\Program Files\Vyooh\DiskView\VizBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DiskView - {6A882320-BDD0-4ff4-BE3A-D8BAF82668E9} - C:\Program Files\Vyooh\DiskView\VizBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\system32\gms2.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} (LLX Control) - https://www.ll2go.co...m/x-res/llx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116719141638
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125299924625
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...581/mcfscan.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Asfil087nlnw - Pinnacle Systems GmbH - (no file)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: Viapoint File Listener - Unknown owner - C:\Program Files\Viapoint Corporation\Viapoint\MetaDataListenerService.exe (file missing)
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\system32\gms2.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\gms2.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe


Run CleanUp and delete all temp files including temporary internet files

Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.

Edited by tampabelle, 22 September 2005 - 11:33 AM.

  • 0

#3
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Tampabelle-

Thank you for responding. I followed your directions. There was more evil on my computer than I had wanted. In either case, here is the fresh HJT log, followed by the Ewido scan report. I feel confident that your assistance helped me resolve this issue. However, as I am typing this reply, I received another pop-up. I plan to donate via paypal 'cause thats some good support. Thanks again. I await your reply.

T

Logfile of HijackThis v1.99.1
Scan saved at 4:35:03 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Documents and Settings\user\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\user\Desktop\security suite\ewidoguard.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VizController Class - {0F9CECE1-0306-4BB0-8BEF-C9EA3841E38A} - C:\Program Files\Vyooh\DiskView\VizBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DiskView - {6A882320-BDD0-4ff4-BE3A-D8BAF82668E9} - C:\Program Files\Vyooh\DiskView\VizBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} (LLX Control) - https://www.ll2go.co...m/x-res/llx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116719141638
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125299924625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...581/mcfscan.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Asfil087nlnw - Pinnacle Systems GmbH - (no file)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\user\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\user\Desktop\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: Viapoint File Listener - Unknown owner - C:\Program Files\Viapoint Corporation\Viapoint\MetaDataListenerService.exe (file missing)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:06:20 PM, 9/22/2005
+ Report-Checksum: 5EFCBB6C

+ Scan result:

HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Error during cleaning
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\System -> Spyware.SafeSurfing : Cleaned with backup
HKU\S-1-5-21-1409082233-1644491937-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1409082233-1644491937-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02C20140-76F8-4763-83D5-B660107BABCD} -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.36:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.60:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.76:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.79:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.81:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.82:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.83:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.84:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.86:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.91:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.92:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.93:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.94:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.105:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.107:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.108:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.113:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.116:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.119:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.121:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.141:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.142:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.146:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.147:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.178:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.184:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.185:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.189:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.199:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.200:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.203:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.208:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.211:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.212:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.214:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.220:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.221:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.222:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.223:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.224:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.225:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.226:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.227:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.228:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.229:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.230:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.231:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.232:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.233:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.234:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.235:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.236:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.237:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.248:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.249:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.250:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.251:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.252:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.253:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.254:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.255:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.256:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.267:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.268:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.269:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.288:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\se5qrxyz.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@cbs.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@ehg-consumersunion.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\user\Cookies\tony@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\My Documents\My Downloads\Poker Robot Plays Automatic Poker and Wins Money.rar/Pacificpoker - Only Game Compatible with Poker Robot!.exe -> Spyware.Casino : Cleaned with backup
C:\System Volume Information\_restore{5327FF4A-489B-4AB2-81C1-74A8CEE1F734}\RP228\A0080060.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{5327FF4A-489B-4AB2-81C1-74A8CEE1F734}\RP242\A0086058.exe -> TrojanDownloader.QDown.z : Cleaned with backup
C:\System Volume Information\_restore{5327FF4A-489B-4AB2-81C1-74A8CEE1F734}\RP242\A0086242.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{5327FF4A-489B-4AB2-81C1-74A8CEE1F734}\RP242\A0086764.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{5327FF4A-489B-4AB2-81C1-74A8CEE1F734}\RP244\A0087390.exe -> Spyware.Maxifiles : Cleaned with backup


::Report End
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
1. Run Internet Explorer. Click on Tools ---> Internet Options ---> General tab. Click on Delete cookies and Delete Files.


2. Run Firefox. Click on Tools ---> Options ----> Privacy. Click on clear buttons next to cookies and cache.


3. Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#5
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the logfile. Please let me know. thanks

********
5:31 PM: |··· Start of Session, Thursday, September 22, 2005 ···|
5:31 PM: Spy Sweeper started
5:31 PM: Sweep initiated using definitions version 539
5:31 PM: Starting Memory Sweep
5:36 PM: Memory Sweep Complete, Elapsed Time: 00:04:55
5:36 PM: Starting Registry Sweep
5:36 PM: Found Adware: apropos
5:36 PM: HKU\WRSS_Profile_S-1-5-21-1409082233-1644491937-839522115-500\software\aprps\ (7 subtraces) (ID = 103740)
5:36 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
5:36 PM: Found Adware: begin2search
5:36 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
5:36 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
5:36 PM: Found Adware: hotsearchbar toolbar
5:36 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
5:36 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
5:36 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
5:36 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
5:36 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
5:36 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
5:36 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
5:36 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
5:36 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
5:36 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
5:36 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
5:36 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
5:36 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
5:36 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
5:36 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
5:36 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
5:36 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
5:36 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
5:36 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
5:36 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
5:36 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
5:36 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
5:36 PM: Found Adware: bookedspace
5:36 PM: HKCR\bookedspace.extension.5\ (3 subtraces) (ID = 104858)
5:36 PM: HKCR\bookedspace.extension\ (5 subtraces) (ID = 104859)
5:36 PM: HKLM\software\classes\bookedspace.extension\ (5 subtraces) (ID = 104867)
5:36 PM: HKLM\software\configuration manager\cfgmgr52\ (192 subtraces) (ID = 104873)
5:36 PM: Found Adware: 180search assistant/zango
5:36 PM: HKLM\software\sac\ (4 subtraces) (ID = 135787)
5:36 PM: Found Trojan Horse: trojan-downloader-pacisoft
5:36 PM: HKU\S-1-5-21-1409082233-1644491937-839522115-1003\software\psof1\ (9 subtraces) (ID = 136530)
5:36 PM: HKU\WRSS_Profile_S-1-5-21-1409082233-1644491937-839522115-500\software\psof1\ (9 subtraces) (ID = 136530)
5:36 PM: Found Adware: search fast communicator toolbar
5:36 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
5:36 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
5:36 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
5:36 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
5:36 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
5:36 PM: HKU\S-1-5-21-1409082233-1644491937-839522115-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
5:36 PM: HKU\WRSS_Profile_S-1-5-21-1409082233-1644491937-839522115-500\software\communicator toolbar\ (9 subtraces) (ID = 140688)
5:36 PM: HKU\S-1-5-21-1409082233-1644491937-839522115-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
5:36 PM: HKU\WRSS_Profile_S-1-5-21-1409082233-1644491937-839522115-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
5:36 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
5:36 PM: Found Adware: shopathomeselect
5:36 PM: HKCR\grinstall6.installer.1\ (3 subtraces) (ID = 141673)
5:36 PM: HKCR\grinstall6.installer\ (5 subtraces) (ID = 141674)
5:36 PM: HKLM\software\classes\grinstall6.installer.1\ (3 subtraces) (ID = 141681)
5:36 PM: HKLM\software\classes\grinstall6.installer\ (5 subtraces) (ID = 141682)
5:36 PM: Found Adware: winad
5:36 PM: HKLM\software\media access\ (8 subtraces) (ID = 147182)
5:36 PM: Found Adware: icannnews
5:36 PM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
5:36 PM: HKCR\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169451)
5:36 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
5:36 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
5:36 PM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
5:36 PM: HKLM\software\classes\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169458)
5:36 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
5:36 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
5:36 PM: Found Adware: cas
5:36 PM: HKU\WRSS_Profile_S-1-5-21-1409082233-1644491937-839522115-500\software\cas\client\ (11 subtraces) (ID = 359309)
5:36 PM: Found Adware: quicklink search toolbar
5:36 PM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
5:36 PM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
5:36 PM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
5:36 PM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
5:36 PM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
5:36 PM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
5:36 PM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
5:36 PM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
5:36 PM: Found Adware: rich editor
5:36 PM: HKCR\lowsol.richeditor\ (5 subtraces) (ID = 372961)
5:36 PM: HKCR\lowsol.richeditor.1\ (3 subtraces) (ID = 372967)
5:36 PM: HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373009)
5:36 PM: HKLM\software\microsoft\windows\currentversion\app paths\richedtr\ (2 subtraces) (ID = 373109)
5:36 PM: HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114)
5:36 PM: HKLM\software\riched\ (28 subtraces) (ID = 373158)
5:36 PM: HKLM\software\classes\lowsol.richeditor\ (5 subtraces) (ID = 373176)
5:36 PM: HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373224)
5:36 PM: HKLM\software\classes\lowsol.richeditor.1\ (3 subtraces) (ID = 479490)
5:36 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 498504)
5:36 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 498516)
5:36 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 499294)
5:36 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 499295)
5:36 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall6.dll\ (2 subtraces) (ID = 509618)
5:36 PM: HKCR\main.mimefilter.1\ (3 subtraces) (ID = 609377)
5:36 PM: Registry Sweep Complete, Elapsed Time:00:00:44
5:36 PM: Starting Cookie Sweep
5:36 PM: Found Spy Cookie: overture cookie
5:36 PM: tony@perf.overture[1].txt (ID = 3106)
5:36 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:36 PM: Starting File Sweep
5:38 PM: Found Trojan Horse: trojan-downloader-bookedspace
5:38 PM: c:\windows\cfgmgr52 (ID = -2147479590)
5:45 PM: Warning: Failed to read file "c:\windows\temp\perflib_perfdata_b80.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
5:48 PM: Found Adware: windows afa internet enhancement
5:48 PM: dc1.exe (ID = 90525)
5:51 PM: backup-20050706-015931-315.dll (ID = 75775)
5:52 PM: Found Trojan Horse: trojan downloader matcash
5:52 PM: autoit3.exe (ID = 119348)
6:00 PM: Warning: Failed to read file "c:\program files\skyrefox\nslntvdm.exe". System Error. Code: 2.
The system cannot find the file specified
6:02 PM: grinstall6.dll (ID = 75775)
6:05 PM: qlink32.dll (ID = 73425)
6:08 PM: Warning: Failed to read file "c:\windows\system32\shaqperf.exe". System Error. Code: 2.
The system cannot find the file specified
6:12 PM: wingenerics.dll (ID = 50187)
6:12 PM: mc-110-12-0000079.exe (ID = 119347)
6:14 PM: communicator.dll (ID = 107420)
6:18 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\application data\google\google desktop\20963049c2dd\dbdam". System Error. Code: 32.
The process cannot access the file because it is being used by another process
6:20 PM: Found Trojan Horse: 2nd-thought
6:20 PM: stop popups.url (ID = 48215)
6:20 PM: ebay.url (ID = 48213)
6:20 PM: ebay.url (ID = 48213)
6:20 PM: Found Adware: golden palace casino
6:20 PM: best casino.  $200 signup bonus!.url (ID = 61881)
6:20 PM: popup blocker.url (ID = 48215)
6:20 PM: best buy.url (ID = 48168)
6:20 PM: online virus scan.url (ID = 48317)
6:20 PM: buy.com.url (ID = 48207)
6:20 PM: walmart.url (ID = 48361)
6:20 PM: internet privacy software.url (ID = 48302)
6:20 PM: Found Adware: abetterinternet
6:20 PM: banner.inf (ID = 83145)
6:20 PM: backup-20050706-015931-315.inf (ID = 75773)
6:20 PM: backup-20050706-015931-219.inf (ID = 70515)
6:21 PM: File Sweep Complete, Elapsed Time: 00:44:15
6:21 PM: Full Sweep has completed. Elapsed time 00:50:03
6:21 PM: Traces Found: 671
6:23 PM: Removal process initiated
6:23 PM: Quarantining All Traces: apropos
6:23 PM: Quarantining All Traces: begin2search
6:23 PM: Quarantining All Traces: hotsearchbar toolbar
6:23 PM: Quarantining All Traces: bookedspace
6:23 PM: Quarantining All Traces: 180search assistant/zango
6:23 PM: Quarantining All Traces: trojan-downloader-pacisoft
6:23 PM: Quarantining All Traces: search fast communicator toolbar
6:23 PM: Quarantining All Traces: shopathomeselect
6:23 PM: Quarantining All Traces: winad
6:23 PM: Quarantining All Traces: icannnews
6:23 PM: Quarantining All Traces: cas
6:23 PM: Quarantining All Traces: quicklink search toolbar
6:23 PM: Quarantining All Traces: rich editor
6:23 PM: Quarantining All Traces: overture cookie
6:23 PM: Quarantining All Traces: trojan-downloader-bookedspace
6:23 PM: Quarantining All Traces: windows afa internet enhancement
6:23 PM: Quarantining All Traces: trojan downloader matcash
6:23 PM: Quarantining All Traces: 2nd-thought
6:23 PM: Quarantining All Traces: golden palace casino
6:23 PM: Quarantining All Traces: abetterinternet
6:23 PM: Removal process completed. Elapsed time 00:00:35
********
5:30 PM: |··· Start of Session, Thursday, September 22, 2005 ···|
5:30 PM: Spy Sweeper started
5:31 PM: |··· End of Session, Thursday, September 22, 2005 ···|
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
OK, Spy Sweeper fixed a lot of stuff.

I need you to run one more scan and hopefully its the last.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#7
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Tampabelle-

This is odd. It seemed that things were going fine. Then all of a sudden, on a windows reboot, I logged on, and Windows was not the same. I got the pop-up on the bottom of the screen that said, "Take a tour of Windows XP". Usually seen on a new computer or after formatting. In either case, my windows settings were back to factory default. My taskbar and start menu are not the same. But not the XP Pro default. Its more like Windows 98 default. My taskbar is gray and 2 dimensional. I thought is was a performance setting, but i checked, and I cant change it. , and My Favorites on IE are gone. However, I can live with that since my important documents are still here. Anyway, as I opened IE, I got another pop-up. So rather than freak out, I just ran through your instructions from step 1, and am starting again. I ran HiJack this after downloading CleanUp and Ewido. My HJT log is pasted below. I will now reboot into safe mode and run Ewido followed by CleanUp. In the meantime, any suggestions you have would be appreciated. Thanks again.

Tony

Logfile of HijackThis v1.99.1
Scan saved at 10:58:03 AM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\TONY~1.TON\LOCALS~1\Temp\Rar$EX14.297\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VizController Class - {0F9CECE1-0306-4BB0-8BEF-C9EA3841E38A} - C:\Program Files\Vyooh\DiskView\VizBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DiskView - {6A882320-BDD0-4ff4-BE3A-D8BAF82668E9} - C:\Program Files\Vyooh\DiskView\VizBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} (LLX Control) - https://www.ll2go.co...m/x-res/llx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116719141638
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125299924625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...581/mcfscan.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Asfil087nlnw - Pinnacle Systems GmbH - (no file)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Documents and Settings\user\Desktop\security suite\ewidoctrl.exe (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Lets get your desktop back to normal while I try to figure this out.

download a copy of luna.msstyles here:
http://www.geekstogo...pe=post&id=3166

Unzip it and MOVE the luna.msstyles which is present in that folder you unzipped to next folder: C:\WINDOWS\Resources\Themes\Luna
Don't move it to anywhere else than that folder!

When moved it there, rightclick on your desktop > properties ... and look if Windows XPstyle is now present again. Choose apply and OK.

If not, reboot first, and try again to select Windows XPstyle


Can you tell if you know anything about this program - TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE

You can always run Ewido and Clean up in Safe Mode.
  • 0

#9
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok- I did what you said and my desktop is back to normal XP style!, thanks. In regards to the TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE, that is a program like PCAnywhere or Foldershare. It lets me transfer files from one PC to another or use remote control to access other PC's. The site is www.laplink.com

While I was waiting for your reply, I went through the original instructions from yesterday. I installed Ewido and updated the definitions. I ran HiJackThis and pasted the log in my previous post. I then rebooted in safe mode and ran a full scan with Ewido. Ive attached the log below. I then opened windows explorer, but was unable to find the files you had referenced

C:\Windows\system32\medgs1.exe
C:\Windows\system32\gms2.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe

So Im assuming they are non existent.

I then ran CleanUp and rebooted in Normal Mode. So below you will find firstly my Ewido log file that was generated in safe mode, followed by the HJT log I just re-ran in normal mode. Again, thank you.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:02:07 PM, 9/23/2005
+ Report-Checksum: 9F021525

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Tony.TONYDELL2\Cookies\tony@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tony.TONYDELL2\Cookies\tony@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Tony.TONYDELL2\Cookies\tony@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Tony.TONYDELL2\Cookies\tony@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Tony.TONYDELL2\Cookies\tony@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Tony.TONYDELL2\Cookies\tony@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\NPROTECT\00011921.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00012279.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\NPROTECT\00012280.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\NPROTECT\00012281.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\NPROTECT\00012297.TXT -> Spyware.Cookie.Com : Cleaned with backup
C:\RECYCLER\NPROTECT\00012298.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 1:37:08 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Documents and Settings\user\Desktop\security suite\ewidoctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Documents and Settings\user\Desktop\security suite\ewidoguard.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Tony.TONYDELL2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VizController Class - {0F9CECE1-0306-4BB0-8BEF-C9EA3841E38A} - C:\Program Files\Vyooh\DiskView\VizBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DiskView - {6A882320-BDD0-4ff4-BE3A-D8BAF82668E9} - C:\Program Files\Vyooh\DiskView\VizBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} (LLX Control) - https://www.ll2go.co...m/x-res/llx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116719141638
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125299924625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...581/mcfscan.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Asfil087nlnw - Pinnacle Systems GmbH - (no file)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\user\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\user\Desktop\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
I was asking about this program - C:\WINDOWS\System32\TSIRCSRV.EXE - just to make sure that it was installed with your knowledge and that you use it.

I hadnt known about it till I saw your log. lol.


Regarding the system restore, I have no idea why it happened. I have carefully gone over the logs and the steps I had told you to carry out. Spy Sweeepr had fixed a few files but they shouldnt have resulted in a system restore in anyway.

To assure you, I use Spy Sweeper on my PC to do scans. Even we people get infections once in a while.


Can you tell me the following -

1) Are you getting any pop-ups or any signs of infections ?? Is your PC working fine i.e. not too slow etc.

2) Did you lose any installed programs ???

3) Can you go to the System restore panel and check the dates for which system restore points are available ?? To go to the System Restore Panel, click on Start ---> Help and Support. Under Help and Support Resources, click on System Restore. Click on Restore my Computer to an earlier time.

In the next page there will be a calendar layout. The dates for which you have system restore points available will be highlighted in bold.

Let me know the dates you find in September (in case none available then check for past 2-3 months).

Dont do any system restore at this stage. In case you have lost any programs etc. , then we may consider doing it.
  • 0

Advertisements


#11
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Tampabelle-

I have noticed some strange things with my PC as of late, but because of lack of experience, I'm not even sure if they are normal. Firstly, let me answer your questions. I am still receiving pop ups. They are fewer than they were prior to our troubleshooting, but I still get one or two. In regards to my PC speed. It was very slow before I did the things you had asked. It is much faster now. I have not lost any programs. However, (not sure if your familiar with it) but I have Google Desktop installed. It has been indexing for more than a week. After troubleshooting, I noticed that GD was at 0% indexed. It started over. Its not a problem at all, and the program itself is still here. I just thought I would let u know.

Ok. System Restore shows the following dates for septemeber in bold.
Sept 23rd (today)
Sept 13th - restore point - (Software Distribution Service 2.0)
Sept 5th - restore point - (System Check point)
Sept 2nd - restore point - (Installed Google Earth)

Those are the only dates in bold for Sept. It seems odd because I recall seeing a lot more just last week when I checked. In either case, those are the dates.

Now, let me fill you in on a few things that may or may not help that Ive noticed about my PC.

First thing, I will turn on my PC in the morning. Then for any reason, I will reboot and will notice discrepancies in the way it starts. For example. On the bottom right of my screen (where the windows time is) I have icons for programs that appear when turning on my computer. Well, I notice that sometimes when I reboot, either the icons that appeared once are no longer there. I have my settings to not hide my unused icons. But at times, they dont appear. Again, it may be windows, but I thought it may be worth mentioning.

Next, since we have been troubleshooting, which required me to reboot in safe mode, I noticed the following. In safe mode, the DOS screen loads and shows all the drivers prior to logging onto windows. Well, for the first time, as it was loading the drivers, it asks on the bottom of the screen ....

"Press Esc to not load d347bus.sys" which I ignored. Then again it prompted me to "Press Esc to not load vax347b.sys. Again, I did nothing, and just let it load. Not sure what thats about.

Also, as I stated earlier that when I reboot I notice different or missing icons on the bottom left of my screen, the same goes for when I exit windows (but not when it restarts, when it is logging off). I see a little window that says [IR4WRSEL.EXE cannot continue] and it quickly disappears; then logs off to restart.

Lastly, I bought this particular PC used. When I received it, the name that appeard was (user). I guess when the guy who sold it to me was doing a fresh install and windows asks for a name, he used (USER). In either case, I changed it to Tony. My problem is this. When I click on My Computer, I see my hard drives and then 3 folders. One is called Shared. The Other used to me called USER but is now Tony, and the third is Tony.Dell2. My PC name is Dell2. My other PC's have just the Shared Folder and the Tony folder under My Computer. And I know that I never created a Tony.Dell2 Folder because I never use (.) for folder names. In either case, my important documents are in the Tony folder, so I just ignore it.

Lastly#2. I have a folder directly under my C: that I cant delete. Well, the folder is nameless. Yes, it has no name. It denies me to delete it or rename it. It gives me an error that says C: cannot be deleted. Please make sure its not protected. When I enter DOS and do a DIR at C: its the first folder, but has no name!!! There is nothing inside it. I tried changing the permissions and not make it read only, but it wont go away. how is that possible? And why cant I eliminate it? not sure if u can help, but I thought I should let you know all the things I notice.

Youve been most kind and patient and your help is appreciated. My major problems have been eliminated thanks to you, so if we cant figure this out, its not a problem. Ill await a reply and thanks again.

Tony
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts

"Press Esc to not load d347bus.sys" which I ignored. Then again it prompted me to "Press Esc to not load vax347b.sys. Again, I did nothing, and just let it load. Not sure what thats about.

View Post


d347bus.sys is a CD driver file. I am not sure what vax347b.sys file is but it looks like some driver file.

In Safe Mode, Windows boots with minimum drivers and processes, it may be prompting you. You can either accept to load or reject them. Since you dont get get any errors / messages in normal PC operation, I will leave them.


Also, as I stated earlier that when I reboot I notice different or missing icons on the bottom left of my screen, the same goes for when I exit windows (but not when it restarts, when it is logging off). I see a little window that says [IR4WRSEL.EXE cannot continue] and it quickly disappears; then logs off to restart.

View Post


Can you search for this file on your PC and let me know the folder address of this file?? I havent been able to dig up anything on it.

Also if you can locate the file, then please upload it here - http://virusscan.jotti.org/ - for a scan. Post back the scan report here.

Lastly, I bought this particular PC used. When I received it, the name that appeard was (user). I guess when the guy who sold it to me was doing a fresh install and windows asks for a name, he used (USER). In either case, I changed it to Tony. My problem is this. When I click on My Computer, I see my hard drives and then 3 folders. One is called Shared. The Other used to me called USER but is now Tony, and the third is Tony.Dell2. My PC name is Dell2. My other PC's have just the Shared Folder and the Tony folder under My Computer. And I know that I never created a Tony.Dell2 Folder because I never use (.) for folder names. In either case, my important documents are in the Tony folder, so I just ignore it.

View Post


Any files located in this folder Tony.Dell2?? Also can you check if you can locate any folder under C:\Documents and Settings folder.


Lastly#2. I have a folder directly under my C: that I cant delete. Well, the folder is nameless. Yes, it has no name. It denies me to delete it or rename it. It gives me an error that says C:  cannot be deleted. Please make sure its not protected. When I enter DOS and do a DIR at C: its the first folder, but has no name!!! There is nothing inside it. I tried changing the permissions and not make it read only, but it wont go away. how is that possible? And why cant I eliminate it? not sure if u can help, but I thought I should let you know all the things I notice.

View Post


Please read this page -
http://www.bleepingc...tutorial62.html - and make sure that your system and hidden files are visible.

Now check if you can locate any files in this "nameless" folder.


Run CleanUp and delete all temp files. Run IE and delete all cookies.

Also lets check two logs -

Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.


Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#13
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok- I searched for the file IR4WRSEL.EXE. It returned 2 results.

Name In Folder
1) IR4WRSEL.EXE - C:\Program Files\Skyrefox
2) IR4WRSEL.EXE-03CB1B49.pf C:\Windows\Prefetch

When I checked C:\Program Files, (even after I changed the setting to display system and hidden files), I was unable to locate it. In fact, when I tried to search again, that particular file did not come up, it only found IR4WRSEL.EXE-03CB1B49.pf. Then, after I rebooted, I searched for it again, and found them both. Not only that, I found the folder Skyrefox under C:\Program Files\Skyrefox. I attempted to delete it, but it gave me an error saying that it was unable to delte because it may be in use or protected. It seems to me that it gets created everytime i restart. However, when I searched C:\Windows\Prefetch, I was able to locate the file. I then uploaded the file to the website and Ive copied the results below.

Service load: 0% 100%

File: IR4WRSEL.EXE-03CB1B49.pf
Status: OK
MD5 c386a373bd8c62a414c344f06536d08f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

BUT!!!! Let me mention this. I scanned this file twice. Each time I scanned it, the results say its ok, but....I got 3 or 4 pop ups. Weird, wonder if it has anything to do with the popups. As I write this, no popups, I just scanned the file again, and 3 popups, still with the results saying its ok. Hmmm

Ok. Under C:\Documents and Settings these are the folders I see.

Administrator
All Users
Default User
Local Service
NetworkService
Tony
Tony.TonyDELL2
user

Under C:\Documents and Settings\Tony.TonyDELL2 I see the following folders.

Application Data
Cookies
Desktop
Favorites
Local Settings
My Recent Documents
NetHood
PrintHood
SendTo
Start Menu
Templates
UserData

then these are the files located there:

NTUSER.DAT (with a windows media player icon next to it) size is 1280KB
ntuser.dat.LOG (with a notebook icon next to it) size 1KB
ntuser.ini

I made my sure my system and hidden files are visible. I was unable to see any files or folders under the 'nameless' folder.

CleanUp! started on 09/23/05 17:52:46.
...
C:\WINDOWS\temp\CS62922C84-60AC-433E-8632-3E52C4BB5C04.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS63F66084-EFD6-4970-9D7B-241C3AC31CA1.tmp - deleted
C:\WINDOWS\temp\CS653FDD9C-91B0-475E-A15A-CBB33E8CBD7F.tmp - deleted
C:\WINDOWS\temp\CS658C8961-184B-4B66-B3C5-A993478008EF.tmp - deleted
C:\WINDOWS\temp\CS6839F37D-AEB6-494F-8AE5-12E3F244844D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS6991D92F-C2FD-4F90-8AD0-E69BDEC954A5.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS6ACD8060-8C0D-45D2-BFA3-21E9F7FF9FB1.tmp - deleted
C:\WINDOWS\temp\CS6DF89FBD-8ECC-4583-AC1A-B931AAE8DF6E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS6F00BBD2-F109-45D9-837D-3FD9D296F166.tmp - deleted
C:\WINDOWS\temp\CS705C2109-91EE-4914-949C-C6BF271985F0.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS71C6D7EE-1B83-45B5-A56D-8F724C4CFF9F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS7491C8EB-5E24-4AF7-9180-5B500B35FC08.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS754DD50F-F8A2-4EAB-B843-52B3BF7B1A30.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS782BB2B3-D9DC-4E3F-BE61-8193085071A2.tmp - deleted
C:\WINDOWS\temp\CS7AB0ECF2-1F2A-4035-90DF-7BCB6025F87E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS7B25AEE3-A0CF-42F9-AEBE-A0DAC44F31DA.tmp - deleted
C:\WINDOWS\temp\CS7D87D8F5-4072-4DE2-A5A1-F48A92A5C458.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS7DCFB458-9301-4EF8-851C-DEFFEB2B8EA2.tmp - deleted
C:\WINDOWS\temp\CS7DE7F20B-C140-473D-8392-C1125AAB7FAA.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS7E79A3E4-19FF-49AA-B804-FFF4DD5376B5.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS80A1B06C-1744-4DC7-8D54-F6064C67B984.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS81F2F799-8356-4C3E-9855-61A29B9C6E8D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS82A77CA3-6EDE-4978-B160-CD10CAAF1182.tmp - deleted
C:\WINDOWS\temp\CS85938D1D-E505-443F-9222-FFFCF3E832A8.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS8622DF9B-653A-4A59-A526-9C6A06636D26.tmp - deleted
C:\WINDOWS\temp\CS873D7EEE-2428-4FA6-9B7B-D4C48F98D348.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS8A0729C7-2389-4C3E-8441-3E2693C19083.tmp - deleted
C:\WINDOWS\temp\CS8A0A4209-D714-4CD3-B4D8-64BFAE76C886.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS8A2B0F5B-D06A-44F9-91C2-E60B6ADF11AD.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS8D5F13BB-B4EE-4761-8870-5FB5F3F14FDC.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS8EF117A7-7EB2-4EC9-8163-4CFBBA7E0B09.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS8FB52CCC-1838-4649-8432-E321932E20DB.tmp - deleted
C:\WINDOWS\temp\CS8FCD2547-1EA3-413D-B34A-49B7DEB8F6A4.tmp - deleted
C:\WINDOWS\temp\CS90AE140D-0088-4C7F-82D3-99EB7BF7DBDA.tmp - deleted
C:\WINDOWS\temp\CS91EFDCA2-B11E-4C3F-A452-A7042EB7A150.tmp - deleted
C:\WINDOWS\temp\CS92A07C1B-70C3-4D43-8EE8-9ACF5F3CA695.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS93373C9C-A129-4210-9A5A-1932EACA7684.tmp - deleted
C:\WINDOWS\temp\CS94009719-E707-4DE2-B560-3E1649A52B56.tmp - deleted
C:\WINDOWS\temp\CS97F1B305-0BC9-4A05-88C3-3675687B7246.tmp - deleted
C:\WINDOWS\temp\CS9892EDA1-E868-4740-8C67-1F5002F47A24.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS9D7CCEFD-C4AF-4677-9062-D69E0D12C1A4.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS9E9652B4-08ED-49E0-BACB-DFA11FE747AC.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CS9FBB0165-87E6-4A75-ACEE-C71871E18B21.tmp - deleted
C:\WINDOWS\temp\CS9FEEEE77-B5C8-4B60-87FB-4BC4DCE9AA79.tmp - deleted
C:\WINDOWS\temp\CSA5C0A22E-365E-4237-B456-E63AFD73AF1F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSA62BE8C5-D736-4DC8-91EB-3B3C5AD7E273.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSA7066FA2-F477-4FA4-9CBE-8F49C75D6F8B.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSA889464C-F3D0-4560-AD18-7413BD280BE4.tmp - deleted
C:\WINDOWS\temp\CSAC4AF7D0-EEE5-41B0-8DDE-5F97A00B0918.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSAC7CDA78-E70E-411D-BE04-D992E92DC403.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSB01E1E83-B9EA-4724-9769-A7AD73225E35.tmp - deleted
C:\WINDOWS\temp\CSB0BD1D9F-1769-4F2F-9FA8-D2EEECDC06EE.tmp - deleted
C:\WINDOWS\temp\CSB13DC63A-9B8F-4ADA-973B-1B77FF170C72.tmp - deleted
C:\WINDOWS\temp\CSB1C76436-992E-411B-8A27-D701F351AD69.tmp - deleted
C:\WINDOWS\temp\CSB1FFFC96-710F-4BD0-BF8A-59FD1A016F18.tmp - deleted
C:\WINDOWS\temp\CSB2FEC5AB-CC5C-464C-9916-8CC58589CEFB.tmp - deleted
C:\WINDOWS\temp\CSB4FFF465-20B1-4A5F-AEB3-73EE028C7F9A.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSB621636E-C6B6-4200-A827-B49A61DCC6E9.tmp - deleted
C:\WINDOWS\temp\CSB73A26B4-CF8F-45A4-8522-AB48E52D693A.tmp - deleted
C:\WINDOWS\temp\CSB8C49567-8753-4B50-A4D5-7E42F910E033.tmp - deleted
C:\WINDOWS\temp\CSB91AD7FB-B201-441C-9EE2-5F00C8B183DF.tmp - deleted
C:\WINDOWS\temp\CSB95BEF26-9CF3-4200-9481-E0E1DA256C2F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSBB9D5E36-68C6-4005-A394-07724CE2B141.tmp - deleted
C:\WINDOWS\temp\CSBBED810D-7109-4034-8BDC-98C73657CD13.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSBD8A7010-B5C4-42EC-BA81-E34DDAE1B2D7.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSC06A3929-E88C-433C-8CA4-82961D32D680.tmp - deleted
C:\WINDOWS\temp\CSC12FC658-2D1C-42DF-8C3F-044435CB3BC8.tmp - deleted
C:\WINDOWS\temp\CSC19CDCB5-42A7-4212-8E58-1A57E8A72ABC.tmp - deleted
C:\WINDOWS\temp\CSC430FCE4-E4FD-4B87-8712-8BC6209ABB26.tmp - deleted
C:\WINDOWS\temp\CSC498CC4C-D9C1-489D-B840-02D1792ABDD6.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSC4D84398-9456-4815-869A-D97523FE69B2.tmp - deleted
C:\WINDOWS\temp\CSC60D9600-BF5A-436A-BE31-0C375E23D27D.tmp - deleted
C:\WINDOWS\temp\CSC662A879-BC8B-4524-B622-B63EB9B530C4.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSC6B1C3EA-5561-4E22-9E51-CE349864FC0C.tmp - deleted
C:\WINDOWS\temp\CSC7B3862F-24E1-4187-935E-61B554CF0EEB.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSC8A53EC6-C4C0-44A6-8F62-51AE09D0E082.tmp - deleted
C:\WINDOWS\temp\CSC959649C-D503-4D8A-8516-05575D857168.tmp - deleted
C:\WINDOWS\temp\CSCC13FA76-1B0E-4B52-8E32-CAED79CAC49A.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSCC26CF99-7447-4A0A-ACB6-B525915C0C8D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSCE750AFF-7736-4ADE-A76D-D9BE18ED8D65.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSCF3C33E8-689D-488E-8101-CA3AF37E3451.tmp - deleted
C:\WINDOWS\temp\CSCFA9AF81-E55B-4C41-93A7-B45B92D69C34.tmp - deleted
C:\WINDOWS\temp\CSD111B065-C084-4E37-B329-7A7B85EA8BF9.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSD2581142-EEC4-4A28-9D79-1ED484E11919.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSD30DA3F3-3D59-43EA-869B-6F5BF01CA573.tmp - deleted
C:\WINDOWS\temp\CSD38D51DD-2531-4533-AA90-C5CEAC3E795B.tmp - deleted
C:\WINDOWS\temp\CSD6878591-A99F-47FF-AFBA-6C57D5D6E624.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSD8A14EFD-6CD4-43E5-9D9F-F92E298A5C09.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSDBCE20D9-81D3-4122-9D35-D8E257331E1F.tmp - deleted
C:\WINDOWS\temp\CSDC3FDE60-973D-4E85-A078-9404FB95024D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSDCBBFE41-7B0C-47B8-8F1B-74227CC3D601.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSDE36ABF8-7D29-45AB-B3C6-502684F146D0.tmp - deleted
C:\WINDOWS\temp\CSDE9256A3-1D25-431A-B7D1-847A65E34A60.tmp - deleted
C:\WINDOWS\temp\CSDEE15696-7FCC-4AC2-9F2E-365B49B93DEF.tmp - deleted
C:\WINDOWS\temp\CSDF31498C-19DF-4CAC-9F4C-DC9F0D4E6B7F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSDFE33BA7-E307-4668-A606-07C6AC028780.tmp - deleted
C:\WINDOWS\temp\CSE0D2C29D-AE5F-4AE2-9A95-BA71A7174A3D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSE3DA7978-A7B6-4704-82BF-18479DB470C5.tmp - deleted
C:\WINDOWS\temp\CSE4BC9349-E3D0-4DCE-B00C-755FF3A23CE2.tmp - deleted
C:\WINDOWS\temp\CSE52C3397-E869-482B-A812-ADF43DAE9748.tmp - deleted
C:\WINDOWS\temp\CSE5AAE5C1-4BF7-4081-B9BB-2FED1672D693.tmp - deleted
C:\WINDOWS\temp\CSE5EE4931-4E61-43F6-B5CF-01920EBC1228.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSE6105E8C-48D9-433D-BDFE-F918A1E402F9.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSE68694D5-88F5-4E60-B504-D49E0558325D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSE6BEF86D-41F3-48F1-B123-9AC514B7BAFF.tmp - deleted
C:\WINDOWS\temp\CSE7AC610A-DD41-4CA2-B454-F1FDC6C7D869.tmp - deleted
C:\WINDOWS\temp\CSE99B49CF-6CBC-440F-844F-7663AEDE1787.tmp - deleted
C:\WINDOWS\temp\CSEA7FA7D2-732F-472B-AB5F-1BD7B4071946.tmp - deleted
C:\WINDOWS\temp\CSEC458696-94E9-4227-9640-AD1024B9EC05.tmp - deleted
C:\WINDOWS\temp\CSED707671-EAB7-4AF2-8E56-8B21DC76855C.tmp - deleted
C:\WINDOWS\temp\CSEE455F39-7587-4E54-94C9-E11893F8E65E.tmp - deleted
C:\WINDOWS\temp\CSEEB4E727-4C07-4690-92D9-AFB5FBB48819.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSEF3CC7F9-B037-4287-A56A-D962B503528D.tmp - deleted
C:\WINDOWS\temp\CSF090135E-640D-425F-9434-497DA5051EA6.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF14E6C6D-6092-4A21-9BCE-F0060EA2C9F3.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF3A80B97-4D0A-49F7-A7FC-2BEE7F09607E.tmp - deleted
C:\WINDOWS\temp\CSF3DB087A-4783-4147-BEC9-D3BDEABDAD17.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF460E602-228F-4E6A-9642-25A2B81876EC.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF5DB19C3-8109-4565-8CB9-754F41B826E0.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF6D717B9-2AB7-4FED-A26A-15BCA9DA6D1D.tmp - deleted
C:\WINDOWS\temp\CSF8244139-5BB8-4441-8D01-97AE9D7E6E95.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF8A865EA-67B5-4099-8206-C99D4D83493E.tmp - deleted
C:\WINDOWS\temp\CSF8D448DD-BE61-4182-96A7-6862C3C10166.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSF9734984-C54B-4114-B4C1-13322113DEF3.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSFC9152F1-9B2E-4BF4-BD9F-052C9F459A74.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSFCACAE0D-FB45-4F92-892B-661492D3B9F7.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSFDDBB2C9-40EE-4632-A7FA-37373AD6431E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSFEAF9C60-CC6B-4DD2-8A5D-06B51572A8D4.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\CSFFA2CE5C-2E6B-4097-A594-3BD5FC31EF86.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\FDB0BA1E.TMP - deleted
C:\WINDOWS\temp\Perflib_Perfdata_714.dat - deleted
C:\WINDOWS\temp\Perflib_Perfdata_72c.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\Perflib_Perfdata_cb8.dat - deleted
C:\WINDOWS\temp\T30DebugLogFile.txt - deleted
C:\WINDOWS\temp\tmp0000251f\tmp00000000 currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\History\History.IE5\MSHist012005092320050924\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\Temp\~DFC56E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\NetworkService\Cookies\index.dat - deleted
C:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\index.dat - deleted
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\system@www.laplink[1].txt - deleted
C:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.bak - deleted
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Application Data\Webroot\Spy Sweeper\Data\alwayskr.tmp - deleted
C:\Documents and Settings\Tony.TONYDELL2\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\History\History.IE5\MSHist012005092320050924\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\Temp\~DFC56E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\Temp\~DFC56E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tony.TONYDELL2\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Program Files\Common Files\Symantec Shared\IDS\IDSSettg.BAK - deleted
C:\WINDOWS\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat.bak - deleted
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk - deleted
C:\WINDOWS\system32\CatRoot2\edb.chk - deleted
C:\WINDOWS\Temp\CS00DBF7E3-0F75-4CA7-A4A2-E00516CBD581.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS03743C4B-51C0-46AE-B6D9-5C57ADCD93E0.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS07509A91-B823-4285-B9C3-09CFEA6F507B.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS08C12E7D-E6F7-4B69-AC4A-C171B768AFB5.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS0ADBAACF-4338-4217-8338-80BE5D179BBE.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS0B11D44F-D170-4AC1-8969-F9B6244AB7C9.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS0C34CFBD-069D-46A1-A64B-A8DC5628C178.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS12BC8624-0460-4D71-962E-7379CE811667.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS1340D94C-AF43-4012-906E-EDEAD86E1A08.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS15B9525B-50F5-4002-9D8D-60B2F0312BCA.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS19C634CB-4EA8-49B0-9D9C-F7AAD989E6D7.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS1A46BD11-EA24-4157-A2AD-4F395AE17C5B.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS1AEAD938-96FB-4995-9910-A28BDF4DD7D2.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS1C6FA480-DE91-4440-92B2-E1A16966E0DD.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS232DC997-2181-41CB-8707-629616905E39.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS2CF8B0A2-7B78-4457-8EEF-3ADF280C4F32.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS2DB32378-71D9-4AAC-B44C-01A7A620AEBD.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS2F40C46D-F204-4B26-A61A-7C5E9F61CA73.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS30D0A5E5-AC55-4965-BCF2-76F28B8078A2.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS32038BF7-7931-45F0-B205-C032EDC0C1B6.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS34548251-0909-4670-9F3F-CECB29539DFB.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS357E9C13-A246-430F-9B11-654B547841DA.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS365207BC-997F-4943-A82C-EFCD3C54B2CE.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS3CAB9A0F-FA8A-4709-B31E-5E332FF4F385.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS3DC18B32-CA38-4FEB-BDE7-4DBFBD91056F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS4247FCCF-E09F-405B-BB13-84EF7FAE9D17.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS42B764A0-ED88-4098-9956-DDFE5D30BA57.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS465D5CC5-6B16-4AE0-82B2-03A0619FDC5F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS4E2ECF85-05EF-4139-AB78-3780F060E03E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS50D9B732-3A6A-42FD-BAE9-C27952BB7DF1.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS53E7CE4C-FC3B-4C29-92A3-C4E119666EC2.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS56A97B17-1C0F-4C20-9348-7800CE227BA8.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS5ADC5366-F7E1-418D-BB85-3CCCD347F46C.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS5D023816-C382-4A9D-B376-E3EA779664A1.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS5E3D119D-69F1-4DA5-B674-C5A7AB5DC4EE.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS61236F8F-CCBD-460F-BC82-86A9C08942E1.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS628CC085-2DD6-4EE6-860A-D6D88478CD15.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS62922C84-60AC-433E-8632-3E52C4BB5C04.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS6839F37D-AEB6-494F-8AE5-12E3F244844D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS6991D92F-C2FD-4F90-8AD0-E69BDEC954A5.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS6DF89FBD-8ECC-4583-AC1A-B931AAE8DF6E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS705C2109-91EE-4914-949C-C6BF271985F0.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS71C6D7EE-1B83-45B5-A56D-8F724C4CFF9F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS7491C8EB-5E24-4AF7-9180-5B500B35FC08.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS754DD50F-F8A2-4EAB-B843-52B3BF7B1A30.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS7AB0ECF2-1F2A-4035-90DF-7BCB6025F87E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS7D87D8F5-4072-4DE2-A5A1-F48A92A5C458.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS7DE7F20B-C140-473D-8392-C1125AAB7FAA.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS7E79A3E4-19FF-49AA-B804-FFF4DD5376B5.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS80A1B06C-1744-4DC7-8D54-F6064C67B984.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS81F2F799-8356-4C3E-9855-61A29B9C6E8D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS85938D1D-E505-443F-9222-FFFCF3E832A8.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS873D7EEE-2428-4FA6-9B7B-D4C48F98D348.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS8A0A4209-D714-4CD3-B4D8-64BFAE76C886.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS8A2B0F5B-D06A-44F9-91C2-E60B6ADF11AD.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS8D5F13BB-B4EE-4761-8870-5FB5F3F14FDC.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS8EF117A7-7EB2-4EC9-8163-4CFBBA7E0B09.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS92A07C1B-70C3-4D43-8EE8-9ACF5F3CA695.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS9892EDA1-E868-4740-8C67-1F5002F47A24.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS9D7CCEFD-C4AF-4677-9062-D69E0D12C1A4.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CS9E9652B4-08ED-49E0-BACB-DFA11FE747AC.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSA5C0A22E-365E-4237-B456-E63AFD73AF1F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSA62BE8C5-D736-4DC8-91EB-3B3C5AD7E273.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSA7066FA2-F477-4FA4-9CBE-8F49C75D6F8B.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSAC4AF7D0-EEE5-41B0-8DDE-5F97A00B0918.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSAC7CDA78-E70E-411D-BE04-D992E92DC403.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSB4FFF465-20B1-4A5F-AEB3-73EE028C7F9A.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSB95BEF26-9CF3-4200-9481-E0E1DA256C2F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSBBED810D-7109-4034-8BDC-98C73657CD13.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSBD8A7010-B5C4-42EC-BA81-E34DDAE1B2D7.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSC498CC4C-D9C1-489D-B840-02D1792ABDD6.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSC662A879-BC8B-4524-B622-B63EB9B530C4.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSC7B3862F-24E1-4187-935E-61B554CF0EEB.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSCC13FA76-1B0E-4B52-8E32-CAED79CAC49A.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSCC26CF99-7447-4A0A-ACB6-B525915C0C8D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSCE750AFF-7736-4ADE-A76D-D9BE18ED8D65.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSD111B065-C084-4E37-B329-7A7B85EA8BF9.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSD2581142-EEC4-4A28-9D79-1ED484E11919.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSD6878591-A99F-47FF-AFBA-6C57D5D6E624.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSD8A14EFD-6CD4-43E5-9D9F-F92E298A5C09.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSDC3FDE60-973D-4E85-A078-9404FB95024D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSDCBBFE41-7B0C-47B8-8F1B-74227CC3D601.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSDF31498C-19DF-4CAC-9F4C-DC9F0D4E6B7F.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSE0D2C29D-AE5F-4AE2-9A95-BA71A7174A3D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSE5EE4931-4E61-43F6-B5CF-01920EBC1228.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSE6105E8C-48D9-433D-BDFE-F918A1E402F9.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSE68694D5-88F5-4E60-B504-D49E0558325D.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSEEB4E727-4C07-4690-92D9-AFB5FBB48819.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF090135E-640D-425F-9434-497DA5051EA6.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF14E6C6D-6092-4A21-9BCE-F0060EA2C9F3.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF3DB087A-4783-4147-BEC9-D3BDEABDAD17.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF460E602-228F-4E6A-9642-25A2B81876EC.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF5DB19C3-8109-4565-8CB9-754F41B826E0.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF8244139-5BB8-4441-8D01-97AE9D7E6E95.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF8D448DD-BE61-4182-96A7-6862C3C10166.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSF9734984-C54B-4114-B4C1-13322113DEF3.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSFC9152F1-9B2E-4BF4-BD9F-052C9F459A74.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSFCACAE0D-FB45-4F92-892B-661492D3B9F7.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSFDDBB2C9-40EE-4632-A7FA-37373AD6431E.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSFEAF9C60-CC6B-4DD2-8A5D-06B51572A8D4.tmp currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Temp\CSFFA2CE5C-2E6B-4097-A594-3BD5FC31EF86.tmp currently in use. Will be deleted when Windows is restarted.
'Run MRU' list - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.0 recovered 15.8 MB of disk space from 1036 files.
CleanUp! finished on 09/23/05 17:53:15.


This is the log from SilentRunner:


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"googletalk" = ""C:\Program Files\Google\Google Talk\googletalk.exe" /autostart" ["Google"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"FolderShare" = ""C:\Program Files\FolderShare\FolderShare.exe" /background" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [null data]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"PicasaNet" = ""C:\Program Files\Hello\Hello.exe" -b" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"(Default)" = (empty string)
"Norton Ghost 9.0" = "C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"MSKDetectorExe" = "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall" ["McAfee, Inc."]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]
"LapLink Server Proxy" = ""C:\Program Files\LapLink Gold\WProxy.exe" -l" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0F9CECE1-0306-4BB0-8BEF-C9EA3841E38A}\(Default) = "VizController Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Vyooh\DiskView\VizBHO.dll" ["Vyooh"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{BC9A4428-196B-4822-B0FA-2B44C29D2A26}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]
"{38656425-8C6B-49C6-9C6A-EBE255812C47}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\skriptpw.dll" [file not found]
"{D4A3CA1A-B7BE-44D4-A6C0-7C340A98B0F4}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nirspt.dll" [file not found]
"{B9867D94-6628-4AD2-92FC-71DC068AC9A6}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shcbase.dll" [file not found]
"{72C1D182-8C33-4E40-9309-455B04D098BE}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\umrlbva.dll" [file not found]
"{7ED281E3-8895-484F-BE6E-403F8FACE3FA}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\umrlbva.dll" [file not found]
"{0B8BC491-0C14-4A93-97BF-3DA153CD7F5C}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wN2topl.dll" [file not found]
"{4248DA01-4070-4F4D-A24C-608481027C35}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\vnpodbc.dll" [file not found]
"{AA15A8B2-6D20-4D31-8578-840B2997D1AB}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wN2topl.dll" [file not found]
"{9356CE9B-C935-41AB-AFDC-013A250DF8A9}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\bhpanui.dll" [file not found]
"{EAC6589B-9167-4ECF-BEE9-22120131AA70}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\bhpanui.dll" [file not found]
"{FABA588C-52C9-466C-B9A6-D593EB2F3D88}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ciutil.dll" [file not found]
"{FCB82B37-5FAC-459F-B66E-5CDCFDA64438}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\vormux.dll" [file not found]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\user\Desktop\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe,"c:\windows\tsi32\tsiuser.exe"" [MS], ["Laplink Software, Inc."], ["Laplink Software, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\user\Desktop\security suite\context.dll" ["ewido networks"]
mqgmnmky\(Default) = "{0de3fd9f-b847-4360-9027-a7db0bb1cbdf}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\inriw.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\user\Desktop\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Tony" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"SoonR Desktop Client" -> shortcut to: "C:\Program Files\SoonR\SoonR Desktop Client\SoonrClient.exe" ["SoonR Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Tony" -> launches: "C:\PROGRA~1\NORTON~2\NORTON~3\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{6A882320-BDD0-4FF4-BE3A-D8BAF82668E9}" = "DiskView"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Vyooh\DiskView\VizBar.dll" ["Vyooh"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{B723B1B8-9788-4684-ADA7-D1DB02E1D516}\
"ButtonText" = "Noble Poker"
"MenuText" = "Noble Poker"
"Exec" = "C:\Program Files\Noble Poker\casino.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
ewido security suite control, ewido security suite control, "C:\Documents and Settings\user\Desktop\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Documents and Settings\user\Desktop\security suite\ewidoguard.exe" ["ewido networks"]
GEARSecurity, GEARSecurity, "C:\WINDOWS\System32\GEARSec.exe" ["GEAR Software"]
LapLink, LapLink, ""C:\Program Files\LapLink Gold\laplink.exe"" ["Laplink Software, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Norton Ghost, Norton Ghost, "C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
pcAnywhere Host Service, awhost32, "C:\Program Files\Symantec\pcAnywhere\awhost32.exe" ["Symantec Corporation"]
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
TSI Remote Control Service, TSIRCSRV, "C:\WINDOWS\System32\TSIRCSRV.EXE" ["Laplink Software, Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found], INFECTION WARNING! "tsikbf5" ["Laplink Software, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 204 seconds, including 18 seconds for message boxes)
  • 0

#14
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Guess what !!!!! Found traces of two other infections.



Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#15
tsav413

tsav413

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Tampabelle- This is unbelievable. I felt that we were closing in on the problem. Now, my PC wont boot to windows. I restart, I see the Dell logo, then Microsoft Windows XP Professional, then I see the Windows logo, and it just stops and restarts by itself. grrr! I am writing this message from another PC. Any ideas or suggestions? I can boot into safe mode, and also boot into safe mode with networking, to access the internet, but it wont boot normally.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP