Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help getting rid of aze search [RESOLVED]


  • This topic is locked This topic is locked

#1
jfhskh

jfhskh

    New Member

  • Member
  • Pip
  • 5 posts
I have already run adware, ewido, windows updates, etc. and still can't get rid of it. here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:53:35 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx (file missing)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Aornum] C:\Program Files\Ornum\Aornum1\1.bin\Aornum.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Shannon\LOCALS~1\Temp\ICD2.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Shannon\LOCALS~1\Temp\rm05040901.Stub.exe
O4 - HKLM\..\Run: [lxU.exe] c:\windows\system32\lxU.exe
O4 - HKLM\..\Run: [ek] C:\windows\system32\ek.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MwugNv2pn] C:\windows\system32\MwugNv2pn.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [qabmop] c:\windows\system32\mhdjdl.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [msresearch] c:\windows\msresearch.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldw...mines/mines.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40443.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...42037/sb026.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.co...pside_web18.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c6.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtange...all/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {4BF7A372-9004-4CD5-9E91-1FDCC03CA8A9} (Eyeball Video Messaging Control) - http://imlive.com/ch...e/vmcontrol.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131442478453
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab?
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v45/wof/wof.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...kII/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.ouchvideo.../c8/svcmm32.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\kjdsp.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I hope you can help.
  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, jfhskh.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

  • 0

#3
jfhskh

jfhskh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I am sorry that it has taken me so long to get back to you, butI have had a very busy week. I'll try to be more prompt next time. I do appreciate any and all help ypu can give me.

Here is the printout from the L2mfix that you asked for:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kgdno1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o8480ihue8480.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9507CF11-CAE3-5444-482E-6CFC4096967B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"Default"="Evidence Eliminator Shell Extension"
"{B1816445-A3ED-11D3-B2B3-00104B4C6B08}"="Evidence Eliminator Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B5FB6487-7E79-4816-B73B-8A65E41971DA}"="BullGuard Antivirus v4"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BC92BA92-23D9-49D1-BCB5-28741F30C38B}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BC92BA92-23D9-49D1-BCB5-28741F30C38B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC92BA92-23D9-49D1-BCB5-28741F30C38B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC92BA92-23D9-49D1-BCB5-28741F30C38B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC92BA92-23D9-49D1-BCB5-28741F30C38B}\InprocServer32]
@="C:\\WINDOWS\\system32\\piapi.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
nntui0.dll Thu Nov 10 2005 12:12:10p ..S.R 233,646 228.17 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
q468le~1.dll Thu Nov 10 2005 3:45:46a ..S.R 236,600 231.05 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K

26 items found: 26 files (2 H/S), 0 directories.
Total of file sizes: 23,426,790 bytes 22.34 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Thu Nov 10 2005 12:14:10p ..S.R 233,646 228.17 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,646 bytes 228.17 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 844C-A716

Directory of C:\WINDOWS\System32

11/10/2005 12:14 PM 233,646 guard.tmp
11/10/2005 12:12 PM 233,646 nntui0.dll
11/10/2005 03:45 AM 236,600 q468leju1ho8.dll
05/10/2002 06:53 PM <DIR> Microsoft
3 File(s) 703,892 bytes
1 Dir(s) 5,904,740,352 bytes free


Hopefully this helps.
  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, jfhskh.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also include a fresh Hijackthis log, please. :tazz:
  • 0

#5
jfhskh

jfhskh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the web root spy sweeper log you asked for:

********
1:45 AM: | Start of Session, Monday, November 14, 2005 |
1:45 AM: Spy Sweeper started
1:45 AM: Sweep initiated using definitions version 556
1:45 AM: Starting Memory Sweep
1:48 AM: Memory Sweep Complete, Elapsed Time: 00:02:44
1:48 AM: Starting Registry Sweep
1:48 AM: Found Adware: altnet
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/adm.exe\ (ID = 103506)
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/adm4.dll\ (ID = 103507)
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/admdata.dll\ (ID = 103508)
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/admdloader.dll\ (ID = 103509)
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/admfdi.dll\ (ID = 103510)
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/admprog.dll\ (ID = 103511)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\adm.exe (ID = 103519)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\adm4.dll (ID = 103520)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admdata.dll (ID = 103521)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admdloader.dll (ID = 103522)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admfdi.dll (ID = 103523)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admprog.dll (ID = 103524)
1:48 AM: Found Adware: azsearch toolbar
1:48 AM: HKCR\addressbar.loader.1\ (3 subtraces) (ID = 103884)
1:48 AM: HKCR\addressbar.loader\ (5 subtraces) (ID = 103885)
1:48 AM: HKCR\azentretien.loader\ (5 subtraces) (ID = 103886)
1:48 AM: HKCR\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}\ (11 subtraces) (ID = 103887)
1:48 AM: HKCR\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}\ (11 subtraces) (ID = 103891)
1:48 AM: HKCR\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}\ (20 subtraces) (ID = 103893)
1:48 AM: HKCR\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (11 subtraces) (ID = 103895)
1:48 AM: HKCR\clsid\{f65b197f-8260-4d52-909a-f70118e646eb}\ (11 subtraces) (ID = 103896)
1:48 AM: HKLM\software\azentretienco\ (3 subtraces) (ID = 103905)
1:48 AM: HKLM\software\classes\addressbar.loader.1\ (3 subtraces) (ID = 103907)
1:48 AM: HKLM\software\classes\addressbar.loader\ (5 subtraces) (ID = 103908)
1:48 AM: HKLM\software\classes\azentretien.loader.1\ (3 subtraces) (ID = 103909)
1:48 AM: HKLM\software\classes\azentretien.loader\ (5 subtraces) (ID = 103910)
1:48 AM: HKLM\software\classes\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}\ (11 subtraces) (ID = 103911)
1:48 AM: HKLM\software\classes\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}\ (11 subtraces) (ID = 103915)
1:48 AM: HKLM\software\classes\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}\ (20 subtraces) (ID = 103917)
1:48 AM: HKLM\software\classes\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (11 subtraces) (ID = 103919)
1:48 AM: HKLM\software\classes\clsid\{f65b197f-8260-4d52-909a-f70118e646eb}\ (11 subtraces) (ID = 103920)
1:48 AM: HKLM\software\classes\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}\ (9 subtraces) (ID = 103932)
1:48 AM: HKLM\software\classes\typelib\{dea43ce3-d57b-45f6-a4d1-110e652ced11}\ (9 subtraces) (ID = 103934)
1:48 AM: HKLM\software\loaderco\ (3 subtraces) (ID = 103942)
1:48 AM: HKLM\software\microsoft\code store database\distribution units\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}\ (9 subtraces) (ID = 103943)
1:48 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {a19ef336-01d4-48e6-926a-fe7e1c747aed} (ID = 103945)
1:48 AM: HKCR\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}\ (9 subtraces) (ID = 103955)
1:48 AM: HKCR\typelib\{dea43ce3-d57b-45f6-a4d1-110e652ced11}\ (9 subtraces) (ID = 103957)
1:48 AM: Found Adware: broadcastpc
1:48 AM: HKLM\software\microsoft\windows\currentversion\run\ || tvs_b (ID = 104990)
1:48 AM: Found Adware: gsim
1:48 AM: HKLM\software\microsoft\windows\currentversion\uninstall\gsim\ (2 subtraces) (ID = 127019)
1:48 AM: Found Adware: hotnow
1:48 AM: HKLM\software\pmx\ (1 subtraces) (ID = 127698)
1:48 AM: Found Adware: my daily horoscope
1:48 AM: HKLM\software\microsoft\windows\currentversion\run\ || usb controller (ID = 135393)
1:48 AM: Found Adware: popup killer
1:48 AM: HKCR\popupkiller.allowedpopups\ (3 subtraces) (ID = 136781)
1:48 AM: HKCR\clsid\{36d53c28-890e-11d6-b265-a0bc4ec10000}\ (9 subtraces) (ID = 136782)
1:48 AM: HKCR\interface\{36d53c26-890e-11d6-b265-a0bc4ec10000}\ (8 subtraces) (ID = 136783)
1:48 AM: HKCR\typelib\{36d53c25-890e-11d6-b265-a0bc4ec10000}\ (9 subtraces) (ID = 136784)
1:48 AM: Found Adware: targetsoft
1:48 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
1:48 AM: Found Adware: targetsaver
1:48 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
1:48 AM: Found Adware: abetterinternet
1:48 AM: HKLM\software\microsoft\windows\currentversion\run\ || satmat (ID = 146059)
1:48 AM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 146140)
1:48 AM: Found Adware: wildmedia
1:48 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wbcm\ (4 subtraces) (ID = 146959)
1:48 AM: Found Adware: winad
1:48 AM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
1:48 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
1:48 AM: Found Adware: 180search assistant/zango
1:48 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\zangolib.dll (ID = 147913)
1:48 AM: Found Adware: sp2ms
1:48 AM: HKLM\software\microsoft\windows\currentversion\run\ || msresearch (ID = 754357)
1:48 AM: HKU\WRSS_Profile_S-1-5-21-240772092-126639907-2800509490-500\software\aurora\ (18 subtraces) (ID = 360174)
1:48 AM: HKU\S-1-5-21-240772092-126639907-2800509490-1005\software\pmx\ (2 subtraces) (ID = 127697)
1:48 AM: Found Adware: drsnsrch.com hijack
1:48 AM: HKU\S-1-5-21-240772092-126639907-2800509490-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
1:48 AM: HKU\S-1-5-21-240772092-126639907-2800509490-1005\software\ultimate popup killer\ (3 subtraces) (ID = 136785)
1:48 AM: HKU\S-1-5-21-240772092-126639907-2800509490-1005\software\microsoft\windows\currentversion\run\ || ultimate popup killer (ID = 136786)
1:48 AM: HKU\S-1-5-21-240772092-126639907-2800509490-1005\software\tsl2\ (1 subtraces) (ID = 143616)
1:48 AM: Found Adware: iwon
1:48 AM: HKU\S-1-5-18\software\{95d56630-2c38-4f0c-8c92-54b79ef9ca78}\ (2 subtraces) (ID = 129313)
1:48 AM: Registry Sweep Complete, Elapsed Time:00:00:30
1:48 AM: Starting Cookie Sweep
1:48 AM: Found Spy Cookie: 2o7.net cookie
1:48 AM: shannon@2o7[2].txt (ID = 1957)
1:48 AM: Found Spy Cookie: hbmediapro cookie
1:48 AM: shannon@adopt.hbmediapro[2].txt (ID = 2768)
1:48 AM: Found Spy Cookie: falkag cookie
1:48 AM: shannon@as-us.falkag[1].txt (ID = 2650)
1:48 AM: Found Spy Cookie: ask cookie
1:48 AM: shannon@ask[2].txt (ID = 2245)
1:48 AM: Found Spy Cookie: atwola cookie
1:48 AM: shannon@atwola[1].txt (ID = 2255)
1:48 AM: Found Spy Cookie: azjmp cookie
1:48 AM: shannon@azjmp[2].txt (ID = 2270)
1:48 AM: Found Spy Cookie: belnk cookie
1:48 AM: shannon@belnk[1].txt (ID = 2292)
1:48 AM: Found Spy Cookie: tickle cookie
1:48 AM: shannon@cookie.tickle[1].txt (ID = 3530)
1:48 AM: shannon@dist.belnk[2].txt (ID = 2293)
1:48 AM: Found Spy Cookie: go.com cookie
1:48 AM: shannon@go[1].txt (ID = 2728)
1:48 AM: Found Spy Cookie: starware.com cookie
1:48 AM: shannon@h.starware[2].txt (ID = 3442)
1:48 AM: shannon@microsofteup.112.2o7[1].txt (ID = 1958)
1:48 AM: Found Spy Cookie: overture cookie
1:48 AM: shannon@perf.overture[1].txt (ID = 3106)
1:48 AM: Found Spy Cookie: questionmarket cookie
1:48 AM: shannon@questionmarket[1].txt (ID = 3217)
1:48 AM: Found Spy Cookie: realmedia cookie
1:48 AM: shannon@realmedia[1].txt (ID = 3235)
1:48 AM: Found Spy Cookie: rn11 cookie
1:48 AM: shannon@rn11[2].txt (ID = 3261)
1:48 AM: Found Spy Cookie: reliablestats cookie
1:48 AM: shannon@stats1.reliablestats[1].txt (ID = 3254)
1:48 AM: shannon@tickle[1].txt (ID = 3529)
1:48 AM: Found Spy Cookie: tradedoubler cookie
1:48 AM: shannon@tradedoubler[2].txt (ID = 3575)
1:48 AM: shannon@www.disney.go[1].txt (ID = 2729)
1:48 AM: Found Spy Cookie: redzip cookie
1:48 AM: shannon@www.redzip[1].txt (ID = 3250)
1:48 AM: shannon@www.starware[1].txt (ID = 3442)
1:48 AM: Found Spy Cookie: adserver cookie
1:48 AM: shannon@z1.adserver[1].txt (ID = 2142)
1:48 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
1:48 AM: Starting File Sweep
1:48 AM: Found Adware: websearch toolbar
1:48 AM: c:\program files\common files\wintools (ID = -2147480046)
1:48 AM: c:\program files\tvs (9 subtraces) (ID = -2147477469)
1:48 AM: Found Adware: hotbar
1:48 AM: c:\program files\hbinst (ID = -2147480873)
1:48 AM: Found Adware: keenvalue/perfectnav
1:48 AM: c:\program files\common files\updmgr (ID = -2147480787)
1:48 AM: Found Adware: gain-supported software
1:48 AM: c:\documents and settings\all users\start menu\programs\gain publishing (1 subtraces) (ID = -2147480950)
1:48 AM: Found Adware: bookedspace
1:48 AM: c:\windows\bsx32 (1 subtraces) (ID = -2147481346)
1:48 AM: c:\program files\common files\tsa (1 subtraces) (ID = -2147480171)
1:49 AM: c:\program files\common files\gmt (5037 subtraces) (ID = -2147480945)
1:49 AM: c:\program files\ornum (5 subtraces) (ID = -2147480792)
1:49 AM: c:\program files\perfectnav (1 subtraces) (ID = -2147480782)
1:49 AM: c:\program files\bpt (ID = -2147481334)
1:50 AM: azesearch.bmp (ID = 50322)
1:50 AM: gmt.exe.manifest (ID = 61434)
1:56 AM: popupkillergun.wav (ID = 72600)
1:57 AM: tvlistings.dll (ID = 51852)
1:59 AM: tab_0.mht (ID = 51850)
2:03 AM: better621.dll (ID = 83158)
2:04 AM: better0503.dll (ID = 83158)
2:05 AM: Found Trojan Horse: trojan-downloader-miewer
2:05 AM: gold.dll (ID = 80754)
2:06 AM: Found Adware: look2me
2:06 AM: a0000168.dll (ID = 163672)
2:07 AM: gsim.inf (ID = 61964)
2:08 AM: egieprocess.dll (ID = 61344)
2:08 AM: 180629.dll (ID = 70473)
2:08 AM: axinterop.shdocvw.dll (ID = 51810)
2:09 AM: bsx32.ini (ID = 51653)
2:10 AM: wbcmuninst_helper.exe (ID = 88922)
2:10 AM: Found Adware: virtualbouncer
2:10 AM: blizzard.dll (ID = 82781)
2:10 AM: wbcmuninst.exe (ID = 88921)
2:11 AM: blizzard621.dll (ID = 82781)
2:12 AM: booknew.dll (ID = 80755)
2:12 AM: tvs_ln.exe (ID = 51858)
2:13 AM: bizzard.dll (ID = 82781)
2:13 AM: tvs_clean.exe (ID = 51856)
2:13 AM: ni.mht (ID = 51847)
2:14 AM: interop.shdocvw.dll (ID = 51845)
2:16 AM: a0000169.dll (ID = 163672)
2:17 AM: bizzard0426.dll (ID = 82781)
2:24 AM: Found Adware: 10 minute site
2:24 AM: 10minsite.exe (ID = 107160)
2:24 AM: 1800411.dll (ID = 70473)
2:24 AM: 1800414.dll (ID = 70473)
2:24 AM: 180621.dll (ID = 70473)
2:25 AM: about gain publishing.lnk (ID = 61270)
2:25 AM: ultimate popup killer.lnk (ID = 72602)
2:26 AM: ultimate popup killer online help.lnk (ID = 72601)
2:27 AM: belt.inf (ID = 83154)
2:27 AM: satmat.ini (ID = 83499)
2:27 AM: satmat.inf (ID = 83498)
2:27 AM: biini.inf (ID = 83199)
2:27 AM: popupkiller.html (ID = 72599)
2:27 AM: padk.url (ID = 72597)
2:27 AM: polmx2.inf (ID = 83430)
2:29 AM: Found System Monitor: potentially rootkit-masked files
2:29 AM: 2004, 2005, cracks, sereils #, hacks, mus (ID = 0)
2:29 AM: cracks & serials - hundreds of serial num (ID = 0)
2:29 AM: 2004, 2005, cracks, sereils #, hacks, mu (ID = 0)
2:29 AM: 2004, 2005, cracks, sereils #, hacks, mu (ID = 0)
2:29 AM: 2004, 2005, cracks, sereils #, hacks, mu (ID = 0)
2:29 AM: cracks & serials - hundreds of serial num (ID = 0)
2:29 AM: cracks & serials - hundreds of serial num (ID = 0)
2:29 AM: cracks & serials - hundreds of serial num (ID = 0)
2:29 AM: cracks & serials - hundreds of serial num (ID = 0)
2:29 AM: 7000 serials cracks.txt (ID = 0)
2:29 AM: Warning: Unhandled Archive Type
2:31 AM: Warning: Unhandled Archive Type
2:31 AM: Warning: Unhandled Archive Type
2:32 AM: Warning: Unhandled Archive Type
2:32 AM: Warning: Unhandled Archive Type
2:33 AM: Warning: Invalid Stream
2:40 AM: Warning: Invalid Stream
2:40 AM: Warning: Invalid Stream
2:40 AM: Warning: Invalid Stream
2:40 AM: Warning: Invalid Stream
2:44 AM: ultimate popup killer online help.lnk (ID = 72597)
2:44 AM: File Sweep Complete, Elapsed Time: 00:56:07
2:44 AM: Full Sweep has completed. Elapsed time 00:59:36
2:44 AM: Traces Found: 5498
2:49 AM: Removal process initiated
2:49 AM: Quarantining All Traces: potentially rootkit-masked files
2:49 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
2:49 AM: 2004, 2005, cracks, sereils #, hacks, mus is in use. It will be removed on reboot.
2:49 AM: cracks & serials - hundreds of serial num is in use. It will be removed on reboot.
2:49 AM: 2004, 2005, cracks, sereils #, hacks, mu is in use. It will be removed on reboot.
2:49 AM: 2004, 2005, cracks, sereils #, hacks, mu is in use. It will be removed on reboot.
2:49 AM: 2004, 2005, cracks, sereils #, hacks, mu is in use. It will be removed on reboot.
2:49 AM: cracks & serials - hundreds of serial num is in use. It will be removed on reboot.
2:49 AM: cracks & serials - hundreds of serial num is in use. It will be removed on reboot.
2:49 AM: cracks & serials - hundreds of serial num is in use. It will be removed on reboot.
2:49 AM: cracks & serials - hundreds of serial num is in use. It will be removed on reboot.
2:49 AM: 7000 serials cracks.txt is in use. It will be removed on reboot.
2:49 AM: Quarantining All Traces: abetterinternet
2:49 AM: Quarantining All Traces: look2me
2:49 AM: Quarantining All Traces: websearch toolbar
2:49 AM: Quarantining All Traces: 10 minute site
2:49 AM: Quarantining All Traces: 180search assistant/zango
2:49 AM: Quarantining All Traces: altnet
2:49 AM: Quarantining All Traces: azsearch toolbar
2:49 AM: Quarantining All Traces: bookedspace
2:49 AM: Quarantining All Traces: broadcastpc
2:49 AM: Quarantining All Traces: drsnsrch.com hijack
2:49 AM: Quarantining All Traces: gain-supported software
2:50 AM: Quarantining All Traces: gsim
2:50 AM: Quarantining All Traces: hotbar
2:50 AM: Quarantining All Traces: hotnow
2:50 AM: Quarantining All Traces: iwon
2:50 AM: Quarantining All Traces: keenvalue/perfectnav
2:50 AM: Quarantining All Traces: my daily horoscope
2:50 AM: Quarantining All Traces: popup killer
2:50 AM: popup killer is in use. It will be removed on reboot.
2:50 AM: ultimate popup killer online help.lnk is in use. It will be removed on reboot.
2:50 AM: Quarantining All Traces: sp2ms
2:50 AM: Quarantining All Traces: targetsaver
2:50 AM: Quarantining All Traces: targetsoft
2:50 AM: Quarantining All Traces: trojan-downloader-miewer
2:50 AM: Quarantining All Traces: virtualbouncer
2:50 AM: Quarantining All Traces: wildmedia
2:50 AM: Quarantining All Traces: winad
2:50 AM: Quarantining All Traces: 2o7.net cookie
2:50 AM: Quarantining All Traces: adserver cookie
2:50 AM: Quarantining All Traces: ask cookie
2:50 AM: Quarantining All Traces: atwola cookie
2:50 AM: Quarantining All Traces: azjmp cookie
2:50 AM: Quarantining All Traces: belnk cookie
2:50 AM: Quarantining All Traces: falkag cookie
2:50 AM: Quarantining All Traces: go.com cookie
2:50 AM: Quarantining All Traces: hbmediapro cookie
2:50 AM: Quarantining All Traces: overture cookie
2:50 AM: Quarantining All Traces: questionmarket cookie
2:50 AM: Quarantining All Traces: realmedia cookie
2:50 AM: Quarantining All Traces: redzip cookie
2:50 AM: Quarantining All Traces: reliablestats cookie
2:50 AM: Quarantining All Traces: rn11 cookie
2:50 AM: Quarantining All Traces: starware.com cookie
2:50 AM: Quarantining All Traces: tickle cookie
2:50 AM: Quarantining All Traces: tradedoubler cookie
2:52 AM: Preparing to restart your computer. Please wait...
2:52 AM: Removal process completed. Elapsed time 00:03:03
********
1:41 AM: | Start of Session, Monday, November 14, 2005 |
1:41 AM: Spy Sweeper started
1:43 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:45 AM: | End of Session, Monday, November 14, 2005 |


And here is the fresh HiJackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:06:51 AM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Aornum] C:\Program Files\Ornum\Aornum1\1.bin\Aornum.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Shannon\LOCALS~1\Temp\rm05040901.Stub.exe
O4 - HKLM\..\Run: [lxU.exe] c:\windows\system32\lxU.exe
O4 - HKLM\..\Run: [ek] C:\windows\system32\ek.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MwugNv2pn] C:\windows\system32\MwugNv2pn.exe
O4 - HKLM\..\Run: [qabmop] c:\windows\system32\mhdjdl.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldw...mines/mines.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40443.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...42037/sb026.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.co...pside_web18.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtange...all/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {4BF7A372-9004-4CD5-9E91-1FDCC03CA8A9} (Eyeball Video Messaging Control) - http://imlive.com/ch...e/vmcontrol.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131442478453
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab?
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v45/wof/wof.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...kII/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.ouchvideo.../c8/svcmm32.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\kgdno1.dll (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\o8480ihue8480.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

:tazz:
  • 0

#6
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, jfhskh.

You will need to print these instructions out for use in safe mode.

Please reboot into Safe Mode by tapping the F8 key when you turn on your computer. Select Safe Mode from the list that appears.

Once in safe mode please uninstall the following programs from add/remove if they appear:
(Start > Settings > Control Panel > Add/Remove Programs)

MyWebSearch
iWon
Delphin Media Viewer
Target Saver


Then delete the following files/folders:

C:\Program Files\Ornum
C:\Program Files\MyWebSearch
C:\Documents and Settings\Shannon\Local Settings\Temp\rm05040901.Stub.exe
c:\windows\system32\lxU.exe
C:\windows\system32\ek.exe
C:\windows\system32\MwugNv2pn.exe
c:\windows\system32\mhdjdl.exe
C:\Program Files\Common Files\tsa

Then open Hijackthis, scan, and place a checkmark by the following files:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
Sony's vaio support agent, not required to run at startup and is regarded as spyware. I highly reccommend fixing this entry.
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [Aornum] C:\Program Files\Ornum\Aornum1\1.bin\Aornum.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Shannon\LOCALS~1\Temp\rm05040901.Stub.exe
O4 - HKLM\..\Run: [lxU.exe] c:\windows\system32\lxU.exe
O4 - HKLM\..\Run: [ek] C:\windows\system32\ek.exe
O4 - HKLM\..\Run: [MwugNv2pn] C:\windows\system32\MwugNv2pn.exe
O4 - HKLM\..\Run: [qabmop] c:\windows\system32\mhdjdl.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...42037/sb026.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtange...all/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab?
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...kII/install.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.ouchvideo.../c8/svcmm32.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\kgdno1.dll (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\o8480ihue8480.dll (file missing)


Close ALL open windows/browsers and click Fix Checked.

Reboot into normal mode/.

Then also run a virus scan at Kaspersky.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
So I need a fresh Hijackthis log, and also the log from Kaspersky.

Edited by OwNt, 14 November 2005 - 01:17 PM.

  • 0

#7
jfhskh

jfhskh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I could not find the following things to remove them:

iWon
Delphin Media Viewer
Target Saver

and it wouldn't let me remove MyWebSearch.

Also, I could not find these two things when I ran the Hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)


Here is the kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, November 18, 2005 02:56:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/11/2005
Kaspersky Anti-Virus database records: 160464
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 103184
Number of viruses found: 63
Number of infected objects: 168
Number of suspicious objects: 0
Duration of the scan process: 6800 sec

Infected Object Name - Virus Name
C:\113_dollarrevenue_4_0_3_9.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\113_dollarrevenue_4_0_3_9.exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Shannon\Local Settings\Temp\GLF23GLF23.EXE/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Shannon\Local Settings\Temp\GLF23GLF23.EXE Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\5.bin\M3HTML.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f
C:\Program Files\MyWebSearch\bar\5.bin\M3IDLE.DLL Infected: not-a-virus:AdWare.Win32.IWon.a
C:\Program Files\MyWebSearch\bar\5.bin\M3SKIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad
C:\Program Files\MyWebSearch\bar\5.bin\MWSOEPLG.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0738683C Infected: not-a-virus:AdWare.Win32.BetterInternet.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\074262FA Infected: Trojan-Downloader.Win32.Miewer.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\079E5E44 Infected: not-a-virus:AdWare.Win32.WinAD.af
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\07B64993 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\09742488 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0AEF41DF.exe Infected: Trojan.Win32.Dialer.mi
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0E1E19F4 Infected: not-a-virus:AdWare.MSIL.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ED71B8F Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\100F0E0D Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\15F76D8A Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19A40EBB/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19A40EBB Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A087C42 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A0B263E Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A0E503A Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A127A37 Infected: Trojan-Downloader.Win32.Stubby.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A152433 Infected: not-a-virus:AdWare.Win32.BookedSpace.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A184E30 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A1F2228 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A257621 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A2C4A1A/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A2C4A1A/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A2C4A1A Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A2F7416 Infected: not-a-virus:AdWare.Win32.180Solutions
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A321E13 Infected: Trojan-Downloader.Win32.Miewer.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A36480F Infected: Trojan-Downloader.Win32.OneClickNetSearch.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1A39720C Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1BA04A0C Infected: not-a-virus:AdWare.Win32.BiSpy.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C601666.exe Infected: Worm.Win32.VB.an
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1D0E4287 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2730060B Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\275C77DB Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27C2382D Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27C90C26 Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27D0601E Infected: not-a-virus:AdWare.Win32.ImiBar.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2A08791E/data0121 Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2A08791E Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2AE00AD0 Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B257143 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2C0A4BA1 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E216566.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\300158EA Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\30173305.class Infected: Trojan.Java.Femad
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\319172C7 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\32C04209 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\33D53608.zip/Beyond.class Infected: Trojan.Java.Femad
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\33D53608.zip/web.exe Infected: Trojan.Win32.Small.ai
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\33D53608.zip Infected: Trojan.Win32.Small.ai
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\36454446/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\36454446 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3668294A Infected: not-a-virus:AdWare.Win32.WhileSurf.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39C27B7D.exe Infected: Trojan.Win32.Dialer.mi
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B1E7717 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B212114 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B254B10 Infected: Trojan-Dropper.Win32.Agent.hv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B28750D Infected: not-a-virus:AdWare.Win32.WinFetcher.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B2B1F09 Infected: Trojan.Win32.Agent.az
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B2E4905 Infected: not-a-virus:AdWare.Win32.WinAD.af
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B327302 Infected: not-a-virus:AdWare.Win32.BetterInternet.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B4F6CE1 Infected: not-a-virus:AdWare.Win32.WinFetcher.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B5216DE Infected: not-a-virus:AdWare.Win32.BargainBuddy.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B596AD7 Infected: not-a-virus:AdWare.Win32.Wintol.y
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3CAE2D23 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3CBB38BE Infected: Trojan-Dropper.Win32.Small.wc
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3D693EAC Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3DCD1649 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3E4D68CA/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3E4D68CA/data0004 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3E4D68CA/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3E4D68CA Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3E517E08 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\432B439F Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\49E13A07 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4C906950.exe Infected: Trojan.Win32.StartPage.oz
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4D00463C Infected: Trojan-Downloader.Win32.Dyfuca.du
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4D663C43 Infected: not-a-virus:AdWare.Win32.WinAD.af
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\512B1644 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\532010FF Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\53262108.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\538D401B.VBS Infected: Email-Worm.VBS.Gedza
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55717605 Infected: Trojan-Clicker.Win32.VB.ex
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55D86C0D Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\56B84A8F.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5890023A Infected: not-a-virus:AdWare.Win32.WhileSurf.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A4E5E38 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F6C3A3C Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\613215CD Infected: not-a-virus:AdWare.Win32.Altnet.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\613F5F4B Infected: not-a-virus:AdWare.Win32.ImiBar.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6168280B Infected: Trojan-Downloader.Win32.Apropo.r
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\619419DB Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\636A29DB Infected: Trojan-Dropper.Win32.Miewer.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\636D53D7 Infected: Trojan.Win32.Agent.ay
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63A51D9A Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63A84797 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63AB7193 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63B2458C Infected: Trojan-Downloader.Win32.Apropo.ab
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63B56F88 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63B81985 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63BB4381 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63BF6D7E Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63C54176 Infected: not-a-virus:AdWare.Win32.BetterInternet.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63E33B56 Infected: not-a-virus:AdWare.Win32.BetterInternet.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63E66552 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63EC394B Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63F06348 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63F30D44/data0002 Infected: Trojan.Win32.Agent.az
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63F30D44 Infected: Trojan.Win32.Agent.az
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63F63740 Infected: Trojan-Downloader.Win32.Miewer.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\65082F77 Infected: not-a-virus:AdWare.Win32.Wintol.ab
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\65533E6A Infected: Trojan-Downloader.Win32.Small.jl
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\65566867 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\65D30A9D Infected: not-a-virus:AdWare.Win32.Perfnav.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\668C0C38 Infected: not-a-virus:AdWare.Win32.BargainBuddy.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\686143B0 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6BC914C8 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6D022F36 Infected: not-a-virus:AdWare.Win32.Wintol.y
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6D6753DB Infected: not-a-virus:AdWare.Win32.Wintol.y
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\707D6647 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71D229A1 Infected: not-a-virus:AdWare.Win32.Apropos.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\775950C6 Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\78892009 Infected: Trojan-Dropper.Win32.180Solutions.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7990486C Infected: Trojan.Win32.Agent.az
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7A831F00 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7C0D2245 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7D62659F Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7EAB73A8.dll Infected: Trojan-Downloader.Win32.Miewer.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE07A37 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE32433 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE64E2F/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE64E2F Infected: not-a-virus:AdWare.Win32.Broadcap.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FED2228 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FF04C25 Infected: Trojan-Downloader.Win32.Keenval
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FF37621 Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Program Files\StreamCast\Morpheus\Downloads\gta san andreas full game.exe 1.zip/00010/WMV.exe/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\StreamCast\Morpheus\Downloads\gta san andreas full game.exe 1.zip/00010/WMV.exe/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\StreamCast\Morpheus\Downloads\gta san andreas full game.exe 1.zip/00010/WMV.exe Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\StreamCast\Morpheus\Downloads\gta san andreas full game.exe 1.zip Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Program Files\support.com\client\lserver\backup\Go\gold.dll\75776_5bed0c780_/gold.dll Infected: Trojan-Downloader.Win32.Miewer.a
C:\Program Files\support.com\client\lserver\backup\Go\gold.dll\75776_5bed0c780_ Infected: Trojan-Downloader.Win32.Miewer.a
C:\regular_plugin.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\regular_plugin.exe Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP3\A0000183.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP3\A0000184.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP4\A0000199.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP4\A0000202.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP4\A0002218.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\A0002249.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\A0002250.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\system32\context.dll Infected: Trojan-Downloader.Win32.Miewer.a
C:\WINDOWS\system32\exact2.dll Infected: Trojan-Downloader.Win32.Miewer.a
C:\WINDOWS\system32\golden513.dll Infected: Trojan-Dropper.Win32.Miewer.f
C:\WINDOWS\system32\golden621.dll Infected: Trojan-Dropper.Win32.Miewer.f
C:\WINDOWS\system32\guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\system32\nntui0.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\system32\pop0406b.dll Infected: Trojan-Dropper.Win32.Miewer.f
C:\WINDOWS\system32\pop0426.dll Infected: Trojan-Dropper.Win32.Miewer.f
C:\WINDOWS\system32\q468leju1ho8.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\WINDOWS\system32\qool414.dll Infected: Trojan-Dropper.Win32.Miewer.f
C:\WINDOWS\system32\STOPzilla.exe Infected: not-a-virus:AdWare.Win32.AdURL.a

Scan process completed.

Here is the fresh Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:58:55 AM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldw...mines/mines.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40443.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.co...pside_web18.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {4BF7A372-9004-4CD5-9E91-1FDCC03CA8A9} (Eyeball Video Messaging Control) - http://imlive.com/ch...e/vmcontrol.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131442478453
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v45/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

you were right, kaspersky takes a while. :tazz:
  • 0

#8
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, jfhskh.

Are you sure you can't find them? This should be in normal mode where you are trying to fix them, even though they should show up regardless. If can't see them this time could you take a screenshot of Hijackthis by pressing Alt+Print Screen and then pasting it in paint, and uploading it as an attachment.

Please open Hijackthis, scan, and place a checkmark by the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab


Close all open windows/browsers and click Fix Checked.

1) Then download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\113_dollarrevenue_4_0_3_9.exe
C:\Documents and Settings\Shannon\Local Settings\Temp\GLF23GLF23.EXE
C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\5.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\5.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\5.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\5.bin\MWSOEPLG.DLL
C:\Program Files\StreamCast\Morpheus\Downloads\gta san andreas full game.exe 1.zip
C:\Program Files\support.com\client\lserver\backup\Go\gold.dll
C:\regular_plugin.exe
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP3\A0000183.dll
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP3\A0000184.dll
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP4\A0000199.dll
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP4\A0000202.dll
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP4\A0002218.dll
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\A0002249.dll
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\A0002250.dll
C:\WINDOWS\system32\context.dll
C:\WINDOWS\system32\exact2.dll
C:\WINDOWS\system32\golden513.dll
C:\WINDOWS\system32\golden621.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\nntui0.dllb
C:\WINDOWS\system32\pop0406b.dll
C:\WINDOWS\system32\pop0426.dll
C:\WINDOWS\system32\q468leju1ho8.dll
C:\WINDOWS\system32\qool414.dll
C:\WINDOWS\system32\STOPzilla.exe


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Please post back a fresh Hijackthis log.
  • 0

#9
jfhskh

jfhskh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I hope this worked. Here is a fresh Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:53:21 AM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Texas Holdem\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldw...mines/mines.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40443.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.co...pside_web18.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {4BF7A372-9004-4CD5-9E91-1FDCC03CA8A9} (Eyeball Video Messaging Control) - http://imlive.com/ch...e/vmcontrol.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131442478453
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v45/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

:tazz:
Also I was wondering if I could just check off the ones I no longer wanted like the ones that say worldwinner, uproar, disneyblast, and imlive as I don't even know where these came from and never use them, or would that cause more problems? Just wondering.
  • 0

#10
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, jfhskh.

If you want to check off those specific 4 (four) that's fine.

Also, your hijackthis log is now clean!! :tazz:

Please let me know if you experience any more pop-ups. Here are some tips to keep your computer clean.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • 0

#11
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP