Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple problems [RESOLVED]


  • This topic is locked This topic is locked

#61
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Ok I will do that. I was wondering something, is the dr watson debugger thing a virus? Because I have a few of those files in my system.
  • 0

Advertisements


#62
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
No it isn't in your case.

Trevuren

  • 0

#63
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Trevuren! Sorry for taking so long I was out of town. anyways, here is the new Regsearch....


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "shmgrate.exe" 10/25/2005 10:32:40 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\shmgrate.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\shmgrate.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\shmgrate.exe]

_________________________________________________________________________________________________________________________________

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "kafjrfr" 10/25/2005 10:34:35 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR\0000]
"Service"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR\0000]
"DeviceDesc"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kafjrfr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kafjrfr]
"DisplayName"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kafjrfr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kafjrfr\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kafjrfr\Enum]
"0"="Root\\LEGACY_KAFJRFR\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_KAFJRFR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_KAFJRFR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_KAFJRFR\0000]
"Service"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_KAFJRFR\0000]
"DeviceDesc"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_KAFJRFR\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\kafjrfr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\kafjrfr]
"DisplayName"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\kafjrfr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR\0000]
"Service"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR\0000]
"DeviceDesc"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kafjrfr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kafjrfr]
"DisplayName"="kafjrfr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kafjrfr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kafjrfr\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kafjrfr\Enum]
"0"="Root\\LEGACY_KAFJRFR\\0000"
___________________________________________________________________________________________

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "hjnqapd" 10/25/2005 10:36:50 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-2801439982-3646181656-3495054330-1003\Software\Neuber GbR\Security Task Manager\Cache]
"C:\\WINDOWS\\system32\\hjnqapd\\rifqr.exe"="2080"

________________________________________________________________________________________

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "jvdnncd" 10/25/2005 10:38:38 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD\0000]
"Service"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD\0000]
"DeviceDesc"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jvdnncd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jvdnncd]
"DisplayName"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jvdnncd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jvdnncd\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jvdnncd\Enum]
"0"="Root\\LEGACY_JVDNNCD\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_JVDNNCD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_JVDNNCD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_JVDNNCD\0000]
"Service"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_JVDNNCD\0000]
"DeviceDesc"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_JVDNNCD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\jvdnncd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\jvdnncd]
"DisplayName"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\jvdnncd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD\0000]
"Service"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD\0000]
"DeviceDesc"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jvdnncd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jvdnncd]
"DisplayName"="jvdnncd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jvdnncd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jvdnncd\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jvdnncd\Enum]
"0"="Root\\LEGACY_JVDNNCD\\0000"

__________________________________________________________________________________________

none for "pcox", no "qagnjkr", no "ivhjnfc.sys",
__________________________________________________________________________________________

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "cdfouvs" 10/25/2005 10:45:01 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS\0000]
"Service"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS\0000]
"DeviceDesc"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cdfouvs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cdfouvs]
"DisplayName"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cdfouvs\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cdfouvs\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cdfouvs\Enum]
"0"="Root\\LEGACY_CDFOUVS\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CDFOUVS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CDFOUVS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CDFOUVS\0000]
"Service"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CDFOUVS\0000]
"DeviceDesc"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CDFOUVS\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cdfouvs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cdfouvs]
"DisplayName"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cdfouvs\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS\0000]
"Service"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS\0000]
"DeviceDesc"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfouvs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfouvs]
"DisplayName"="cdfouvs"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfouvs\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfouvs\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfouvs\Enum]
"0"="Root\\LEGACY_CDFOUVS\\0000"
________________________________________________________________________________
None for "avgtdi.sys", none for "ikvgip", none for "adyhxyb.sys"
___________________________________________________________________________
  • 0

#64
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Should I post an HJT log?

Edited by biggun1234, 25 October 2005 - 12:00 PM.

  • 0

#65
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please do


Trevuren

  • 0

#66
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:47:28 AM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office1\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - F:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#67
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi biggun,


I have prepared a tentative regfix and other operations for you to do. Before posting these, I have decided to check with one of the foremost experts we have in the fiels of registry editing just to make sure I have dotted all the i's and crossed all the T's.

I hope to have a fix posted for you by tomorrow night.

Take care,

Trevuren

  • 0

#68
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop. DO NOT RUN IT YET

B. 1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop.

If a restore of the registry is required in case of emergency, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successfull.

2. Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\shmgrate.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\shmgrate.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\shmgrate.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KAFJRFR]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kafjrfr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_KAFJRFR]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\kafjrfr]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KAFJRFR]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kafjrfr]

[HKEY_USERS\S-1-5-21-2801439982-3646181656-3495054330-1003\Software\Neuber GbR\Security Task Manager\Cache]
"@"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JVDNNCD]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jvdnncd]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_JVDNNCD]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\jvdnncd]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JVDNNCD]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jvdnncd]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CDFOUVS]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cdfouvs]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CDFOUVS]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cdfouvs]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFOUVS]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfouvs]


3. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

4. Do Not reboot at this time.

C. Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot".
    • "End Explorer Shell While Killing File"
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\system32\whecdwm
    C:\WINDOWS\system32\ugoyfn
    C:\WINDOWS\system32\qagnjkr
    C:\WINDOWS\system32\pcox
    C:\WINDOWS\system32\ikvgip
    C:\WINDOWS\system32\hjnqapd



  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


D. Please run HJT and post a fresh log for review. Please also comment on computer's performance at this time.

Regards,

Trevuren

Edited by Trevuren, 26 October 2005 - 02:55 PM.

  • 0

#69
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Trevuren! hey the computer is running pretty good! the only thing I can find that is wrong is I am still getting that weird error message on internet explorer, but its no big deal at all. Is everything cleared up?

Logfile of HijackThis v1.99.1
Scan saved at 6:48:11 PM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
F:\Program Files\Winamp\winamp.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#70
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
It's looking pretty good, just one litle change in your log to be made. Let's make sure the system is really clean before we end.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Regards,

Trevuren

  • 0

Advertisements


#71
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Ok here is that list..by the way, I have limewire, but I have researched it and have foudn that it has no spyware or adware on the new version. it even says that in the license and readme. Why is it that this scan detected it? Is it it possibly old limewire spyware left over from when I used to have it a year ago?

Object "smartfinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.loadadv.400 Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "abxtoolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "aurora Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "adsrve Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "windupdate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "roings Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "maxspeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "weatherbug Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "maxspeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "midaddle Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "yoursitebar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "midaddle Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "midaddle Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "midaddle Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "browser hijack object Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "midaddle Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "midaddle Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\BundleLite.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\elite.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ttinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\cssweb.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\m67m.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\WinSoftware\CrXML.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\BundleLite.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\mm81.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\elite.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\NeroMediaPlayer.exe" refers to invalid object "C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton SystemWorks\Norton AntiVirus\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\AnswerWorks 4.0\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".001". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".002". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".003". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".004". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".005". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".abm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".awc". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".block". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cfg". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".crc". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dbl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ddb". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dnl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".edb". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".for". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".htm_1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".IE5". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".php?act=Attach&type=post&id=3972". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".prx". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".qfn". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".quarter". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rar". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sig". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xxx". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "abi-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "bsto-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Cleaner 5 EZ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "DisplayUtility". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "gqurojs2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "GSpot". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "HSA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ISTsvc". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823559". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828741". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB834707-IE6SP1-20040929.091901". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB835732". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840987". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB842773". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB887822". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Media Access". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "media-motor". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "New.net". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NMPUninstallKey". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "OvMon". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Power Scan". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329048". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329115". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329170". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329390". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329441". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329834". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810577". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817606". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "salm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SlowBlast!". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SW". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ViewpointSearchBar". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Windows SR 2.0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WSEM Update". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{43C3D832-AC96-463A-2003-1B8D1BFA252F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600137}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600205}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{36baa44a-1a0f-4f42-bc23-8ff14c0eedee}" refers to invalid object "C:\WINDOWS\system32\fkgkl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4437bcea-cf66-4322-8508-8059c674b7c7}" refers to invalid object "C:\WINDOWS\system32\fkgkl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4956C5F5-D9A8-4CBB-8994-F53CF55CFDF5}" refers to invalid object "F:\Program Files\Shareaza\Plugins\ImageServices.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{50D994EE-8834-11D3-8BBE-0000E85F332D}" refers to invalid object "F:\PROGRA~1\CLEANE~1\CLEANE~1.EXE". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5218B0DC-0EAA-33AB-8DA9-3F6F92257095}" refers to invalid object "C:\WINDOWS\system32\nhcay\oanfd.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{57B53D52-9781-4942-A3B0-E9BCE3878A77}" refers to invalid object "C:\WINDOWS\System32\intlmain.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5E6309F2-9971-4683-9445-F548E81BEC07}" refers to invalid object "F:\Program Files\Shareaza\Plugins\ImageServices.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{62969c56-9bf5-4430-9202-7ebd61ee0a2d}" refers to invalid object "C:\WINDOWS\system32\fkgkl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8fc68312-f293-4ae4-a7c3-98ebd9e7b171}" refers to invalid object "C:\WINDOWS\system32\fkgkl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4F1E383-B493-4580-8DB6-5CC89CBAAC53}" refers to invalid object "F:\Program Files\Shareaza\Plugins\SkinScanSKS.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BFC0C9AE-E7F2-BEAB-1AB6-9927FF98C609}" refers to invalid object "C:\WINDOWS\system32\qcepkufu\wayibuq.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C81B5180-AFD1-41a3-97E1-99E8D254DB98}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\cssweb.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D427C22F-23FB-4E51-A8B8-70F2036ED3BA}" refers to invalid object "F:\Program Files\Shareaza\Plugins\ImageServices.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f556af8b-f0d2-4848-b590-b4e89b3d66f5}" refers to invalid object "C:\WINDOWS\system32\fkgkl.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{002E7DA2-BA9E-11D1-B526-0060085C418E}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\VolumeS.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{02926246-D3D1-11D1-B545-0060085C418E}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\SDOptions.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1D028BB7-6372-408A-9FCA-46711A3286EF}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LudfWrtr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{23206367-662A-402D-932C-D21797E2CE4F}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdrtDisc.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{232CF401-90A9-11D4-9421-005004AD29B2}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\cssweb.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{31C9D71D-9424-420B-91F8-CBA3274C4EE6}" refers to invalid object "F:\Program Files\Ulead Systems\Ulead VideoStudio 8.0\ppp\ms40uw1.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{37C16012-B50F-11D1-B513-0060085C418E}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\SDDocSnapin.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3AF78A60-6F14-11D1-A884-0000B43699FC}" refers to invalid object "C:\Program Files\BackWeb\BackWeb Client\6.1.0.153\Program\BWfiles.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0}" refers to invalid object "C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{4C78B9E2-A887-11D1-B4FF-0060085C418E}" refers to invalid object "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{53FCF357-5323-11D0-A864-0000B43699FC}" refers to invalid object "C:\Program Files\BackWeb\BackWeb Client\6.1.0.153\Program\BackWeb.tlb". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{58CEFAA6-4C08-4E60-A04B-84025DB58CAA}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LdrtBurn.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{590DF1E4-C721-11D2-989A-00A0C93BF050}" refers to invalid object "C:\Program Files\BackWeb\BackWeb Client\6.1.0.153\Program\bwdlg.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{60614412-BCD8-11D1-BC03-00600811C705}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\NCOMCAT.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{643D8E15-B1F9-11D1-B50C-0060085C418E}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\sdntdrv.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{6C68A7F7-6C82-11D2-BD50-E05AD2000000}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\DrvList.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{71A72348-25D2-428F-BCC6-F5D0C6C0EDEC}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{71AD9F15-B2E1-11D1-B50F-0060085C418E}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\MapViewSnapin.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7AF322C5-AB43-11D4-A00B-0050DA18DE71}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\InfoWindow.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8051E3F7-B752-42C8-AEA7-4CC1D125D49B}" refers to invalid object "C:\Program Files\Spyware Doctor\spydoctor.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{87FE4C63-7D87-11D2-BE60-00A0244D2D22}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\AnalysisSI.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8847C5C1-E2C5-11D3-B882-0010A404098C}" refers to invalid object "C:\Program Files\BackWeb\BackWeb Client\6.1.0.153\Program\BWCmndr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{989B35ED-5AC3-413F-825A-51C5A67D4065}" refers to invalid object "C:\csscod\cssav.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9E93C96F-CF0D-43F6-8BA8-B807A3370712}" refers to invalid object "C:\Program Files\iTunes\iTunes.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A10D8738-B424-49F5-AE07-682C60F77D12}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LXBurnCom.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A1CE1F98-0184-45C5-B49D-F6053174EAC7}" refers to invalid object "C:\Program Files\AnswerWorks 4.0\awApi4.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{AAAC38BC-EA36-4410-9FD6-B27E7C1DE4F6}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\inst2.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{BB993E37-06AF-46E3-A583-87A2668F1769}" refers to invalid object "C:\Program Files\Yadio Media Player\yadioweb.EXE". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C1A95B70-E795-11D4-B96F-0010A4FBBFC9}" refers to invalid object "C:\Program Files\BackWeb\BackWeb Client\6.1.0.153\Program\BWCHelpr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{CD4E67C1-F4F4-4646-845E-AEAE188A261A}" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\DVD\LudfRdr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DCB43485-19FB-4D6D-BB3D-73C7F48D5F00}" refers to invalid object "C:\Program Files\Messenger\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{E327CD25-7845-11D4-8C24-00104BF6CAF3}" refers to invalid object "C:\Program Files\Common Files\Macromedia\SCS DLLs\VBaddin.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{E9905F20-8417-11D2-B364-00805FCD3EFB}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\SDResults.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{FD0AE520-61C2-11D2-B980-00805FCDA1A3}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\OptionsViewSnapin.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{FD0AE535-61C2-11D2-B980-00805FCDA1A3}" refers to invalid object "C:\Program Files\Norton SystemWorks\Speed Disk\ScheduleSI.dll". Action Taken: No Action Taken.
Entry "HKCR\Ares.CollectionList\shell\open\command" refers to invalid object ""F:\Program Files\Ares Lite Edition\AresLite.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\arlnk\shell\open\command" refers to invalid object ""F:\Program Files\Ares Lite Edition\AresLite.exe" "%L"". Action Taken: No Action Taken.
Entry "HKCR\bmpFile\shell\open\command" refers to invalid object "C:\Program Files\ArcSoft\My Photo Center\PhotoStudio\photostudio.exe %1". Action Taken: No Action Taken.
Entry "HKCR\jpeFile\shell\open\command" refers to invalid object "C:\Program Files\ArcSoft\My Photo Center\PhotoStudio\photostudio.exe %1". Action Taken: No Action Taken.
Entry "HKCR\NeroMediaPlayer.File\shell\open\command" refers to invalid object ""C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroMediaPlayer.Playlist\shell\open\command" refers to invalid object ""C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\psfFile\shell\open\command" refers to invalid object "C:\Program Files\ArcSoft\My Photo Center\PhotoStudio\photostudio.exe %1". Action Taken: No Action Taken.
Entry "HKCR\RogerWilco.Audio.1\shell\open\command" refers to invalid object "C:\PROGRA~1\ROGERW~1\roger.exe /play %1". Action Taken: No Action Taken.
Entry "HKCR\RogerWilco.Channel.1\shell\open\command" refers to invalid object "C:\PROGRA~1\ROGERW~1\roger.exe /file %1". Action Taken: No Action Taken.
Entry "HKCR\Shareaza.Collection\shell\open\command" refers to invalid object ""F:\Program Files\Shareaza\Shareaza.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\Shareaza.SkinInfoExtractor.1" refers to invalid object "{0EEDB912-C5FA-486F-8334-57288578C627}". Action Taken: No Action Taken.
Entry "HKCR\ShareazaSkinFile\shell\open\command" refers to invalid object ""F:\Program Files\Shareaza\Skins\skin.exe" "%1"". Action Taken: No Action Taken.
File F:\areslite181.exe tagged as "not-a-virus:AdWare.Win32.NavExcel.d". Action Taken: No Action Taken.
  • 0

#72
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Update your Ewido fefinitions

B. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
B. Reboot your system into Safe Mode


C. Run Ewido and post the Ewido log along with a fresh HJT log.


Regards,

Trevuren

  • 0

#73
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hey Trevuren, hows it going? Well, Unfortunately the Ewido trial version is up so I didn't run that scan. Any suggestions?

Here is the ad-aware scan. It scanned fairly quickly with only 4 critical objects!

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, November 06, 2005 1:19:48 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R73 03.11.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R71 19.10.2005
Internal build : 83
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 536446 Bytes
Total size : 1605851 Bytes
Signature data size : 1572346 Bytes
Reference data size : 32993 Bytes
Signatures total : 44624
CSI Fingerprints total : 1056
CSI data size : 37714 Bytes
Target categories : 15
Target families : 763

11-6-2005 12:37:18 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R73 03.11.2005
Internal build : 85
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 541521 Bytes
Total size : 1624315 Bytes
Signature data size : 1590701 Bytes
Reference data size : 33102 Bytes
Signatures total : 45108
CSI Fingerprints total : 1068
CSI data size : 38355 Bytes
Target categories : 15
Target families : 769


11-6-2005 12:37:29 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:25 %
Total physical memory:523808 kb
Available physical memory:125796 kb
Total page file size:1270344 kb
Available on page file:1011400 kb
Total virtual memory:2097024 kb
Available virtual memory:2021888 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-6-2005 1:19:48 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 564
ThreadCreationTime : 11-6-2005 5:57:46 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 628
ThreadCreationTime : 11-6-2005 5:57:49 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 660
ThreadCreationTime : 11-6-2005 5:57:59 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 704
ThreadCreationTime : 11-6-2005 5:57:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 716
ThreadCreationTime : 11-6-2005 5:57:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
ModuleName : C:\WINDOWS\System32\Ati2evxx.exe
Command Line : C:\WINDOWS\System32\Ati2evxx.exe
ProcessID : 872
ThreadCreationTime : 11-6-2005 5:58:01 AM
BasePriority : Normal


#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 884
ThreadCreationTime : 11-6-2005 5:58:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 964
ThreadCreationTime : 11-6-2005 5:58:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1056
ThreadCreationTime : 11-6-2005 5:58:02 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1100
ThreadCreationTime : 11-6-2005 5:58:02 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1152
ThreadCreationTime : 11-6-2005 5:58:02 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ati2evxx.exe]
ModuleName : C:\WINDOWS\system32\Ati2evxx.exe
Command Line : Ati2evxx.exe -Client
ProcessID : 1488
ThreadCreationTime : 11-6-2005 5:58:05 AM
BasePriority : Normal


#:13 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1548
ThreadCreationTime : 11-6-2005 5:58:05 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:14 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1636
ThreadCreationTime : 11-6-2005 5:58:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [avgamsvr.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 1896
ThreadCreationTime : 11-6-2005 5:58:14 AM
BasePriority : Normal
FileVersion : 7,1,0,357
ProductVersion : 7.1.0.357
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:16 [avgupsvc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 1916
ThreadCreationTime : 11-6-2005 5:58:19 AM
BasePriority : Normal
FileVersion : 7,1,0,349
ProductVersion : 7.1.0.349
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:17 [cdac11ba.exe]
ModuleName : C:\WINDOWS\system32\drivers\CDAC11BA.EXE
Command Line : C:\WINDOWS\system32\drivers\CDAC11BA.EXE
ProcessID : 1960
ThreadCreationTime : 11-6-2005 5:58:20 AM
BasePriority : Normal
FileVersion : 4.20.020
ProductVersion : 4.20.020 Windows NT 2002/12/10
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:18 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 1996
ThreadCreationTime : 11-6-2005 5:58:20 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:19 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 248
ThreadCreationTime : 11-6-2005 5:58:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [wrsssdk.exe]
ModuleName : C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Command Line : "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe"
ProcessID : 296
ThreadCreationTime : 11-6-2005 5:58:22 AM
BasePriority : Normal
FileVersion : 2,0,3,364
ProductVersion : 2, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper SDK
LegalCopyright : Copyright © 2002 - 2005, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe

#:21 [avgcc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 552
ThreadCreationTime : 11-6-2005 5:58:27 AM
BasePriority : Normal
FileVersion : 7,1,0,355
ProductVersion : 7.1.0.355
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:22 [avgemc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 588
ThreadCreationTime : 11-6-2005 5:58:28 AM
BasePriority : Normal
FileVersion : 7,1,0,362
ProductVersion : 7.1.0.362
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:23 [qttask.exe]
ModuleName : C:\Program Files\QuickTime\qttask.exe
Command Line : "C:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 596
ThreadCreationTime : 11-6-2005 5:58:28 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:24 [camtray.exe]
ModuleName : C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
Command Line : "C:\Program Files\Creative\Shared Files\CAMTRAY.EXE"
ProcessID : 332
ThreadCreationTime : 11-6-2005 5:58:29 AM
BasePriority : Normal
FileVersion : 3.50.08
ProductVersion : 3.50
ProductName : Creative Cam Detector
CompanyName : Creative Technology Ltd
FileDescription : Creative Camera Launcher Application
InternalName : Creative Camera Launcher Application
LegalCopyright : Copyright © Creative Technology Ltd., 2002-2004. All rights reserved.
OriginalFilename : CamTray.EXE

#:25 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 924
ThreadCreationTime : 11-6-2005 5:58:32 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:26 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 2308
ThreadCreationTime : 11-6-2005 6:00:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:27 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2556
ThreadCreationTime : 11-6-2005 8:37:04 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:28 [iexplore.exe]
ModuleName : C:\Program Files\Internet Explorer\IEXPLORE.EXE
Command Line : "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
ProcessID : 1784
ThreadCreationTime : 11-6-2005 9:09:56 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:29 [winamp.exe]
ModuleName : F:\Program Files\Winamp\winamp.exe
Command Line : "F:\Program Files\Winamp\winamp.exe"
ProcessID : 3576
ThreadCreationTime : 11-6-2005 9:11:08 PM
BasePriority : Normal
FileVersion : 5.05
ProductVersion : 5.05
ProductName : Winamp
CompanyName : Nullsoft
FileDescription : Winamp
InternalName : WINAMP
LegalCopyright : Copyright © 1997-2004, Nullsoft, Inc.
LegalTrademarks : Nullsoft and Winamp are trademarks of Nullsoft, Inc.
OriginalFilename : Winamp.exe
Comments : Visit http://www.winamp.com/ for updates.

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:owner@realmedia.com/
Expires : 12-31-2020 4:00:00 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:owner@ads.revsci.net/adserver
Expires : 12-7-2005 1:22:28 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:owner@media.adrevolver.com/adrevolver/
Expires : 7-28-2008 2:12:46 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@adrevolver[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:owner@adrevolver.com/
Expires : 11-6-2006 8:23:34 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\!Submit\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\2004\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Cakewalk Projects\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Digidesign Databases\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\FOUND.000\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Incomplete\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Installation Files\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\msdownld.tmp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\music\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\musicdump\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\My Shared Folder\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Norton\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Program Files\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\System Volume Information\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\Valve\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for F:\wowowowowwowoow\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
684 entries scanned.
New critical objects:0
Objects found so far: 4




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

1:52:03 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:32:14.610
Objects scanned:216884
Objects identified:4
Objects ignored:0
New critical objects:4

Here is the new HJT Log ( I ran this in normal mode not safe mode )

Logfile of HijackThis v1.99.1
Scan saved at 2:00:47 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
F:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office1\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#74
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Ewido can still be run after the trial period has elapsed. You manually update the definitions which are available on the Ewido Site.

Please try to run it and post the resulting log.


Regards,

Trevuren

  • 0

#75
biggun1234

biggun1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Ok cool it did work. Here is the newest Edwido Scan.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:35:26 PM, 11/6/2005
+ Report-Checksum: 40652466

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup


::Report End


HJT LOG (in normal mode again):

Logfile of HijackThis v1.99.1
Scan saved at 3:43:20 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP